Re: Robert Haas > I don't think this is sufficient to fix the problem. We have built-in > functions that are unsafe. These include LO functions like loread(), > lowrite(), lo_unlink(); functions that change session state like > set_config() and setseed(); functions that allow arbitrary query > execution like query_to_xml(); slot-manipulation functions like > pg_drop_replication_slot(); and maybe other things.
That was my thought as well - if user defined functions are disallowed, just put the exploit code into the expression. Turns out that doesn't work: =# create table pwn (id int, pwn boolean generated always as (pg_reload_conf())); ERROR: 42P17: generation expression is not immutable So the question is, are all built-in *immutable* functions safe? Extending the idea, perhaps the check could be moved to run-time and recursively check that only immutable functions are called, including user-defined immutable functions? Christoph
