On Sat, Nov 6, 2010 at 11:36 AM, Tom Lane <t...@sss.pgh.pa.us> wrote: > Martijn van Oosterhout <klep...@svana.org> writes: >> On Fri, Nov 05, 2010 at 09:01:50PM -0400, Robert Haas wrote: >>> I see that there could be a problem here with SECURITY DEFINER >>> functions, but I'm not clear whether it goes beyond that? > >> IIRC correctly it's because even unpriveledged users can make things in >> the pg_temp schema and it's implicitly at the front of the search_path. >> There was a CVE about this a while back, no? > > Yeah, we changed that behavior as part of the fix for CVE-2007-2138. > You'd need either SECURITY DEFINER functions or very careless use of > SET ROLE/SET SESSION AUTHORIZATION for the issue to be exploitable.
Would it be practical to let foo() potentially mean pg_temp.foo() outside of any SECURITY DEFINER context? -- Robert Haas EnterpriseDB: http://www.enterprisedb.com The Enterprise PostgreSQL Company -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
