On Wed, 14 Feb 2007, Peter Eisentraut wrote:
> By installing functions or operators with appropriate signatures in
> other schemas, users can then redirect any function or operator
> call in the function code to implementations of their choice
> [snip]
> The proper fix for this problem is to inser
Am Mittwoch, 14. Februar 2007 16:31 schrieb Merlin Moncure:
> Could you clarify what functions are going to get an explicit 'set
> search_path'? Will this change the behavior of any userland
> functions?
Nothing is going to "get" anything. You have to fix all affected functions
yourself.
--
P
On 2/13/07, Peter Eisentraut <[EMAIL PROTECTED]> wrote:
The proper fix for this problem is to insert explicit SET search_path
commands into each affected function to produce a known safe schema
search path. Note that using the default search path, which includes a
reference to the "$user" schema
It has come to the attention of the core team of the PostgreSQL project
that insecure programming practice is widespread in SECURITY DEFINER
functions. Many of these functions are exploitable in that they allow
users that have the privilege to execute such a function to execute
arbitrary code
