Re: Fix search_path for all maintenance commands

Jeff Davis <pgsql@j-davis.com>

From: Jeff Davis <pgsql@j-davis.com>
To: Nathan Bossart <nathandbossart@gmail.com>, Noah Misch <noah@leadboat.com>
Cc: "David G. Johnston" <david.g.johnston@gmail.com>, Gurjeet Singh <gurjeet@singh.im>, pgsql-hackers@postgresql.org, Robert Haas <robertmhaas@gmail.com>, Greg Stark <stark@mit.edu>, Tom Lane <tgl@sss.pgh.pa.us>
Date: 2023-07-17T19:16:25Z
Lists: pgsql-hackers

Commits

Same data as JSON: GET /api/v1/messages/:b64id/commits the thread's linked commits as JSON, with link sources. API reference →
  1. Fix search_path to a safe value during maintenance operations.

  2. Make relation-enumerating operations be security-restricted operations.

On Mon, 2023-07-17 at 10:58 -0700, Nathan Bossart wrote:
> On Sat, Jul 15, 2023 at 02:13:33PM -0700, Noah Misch wrote:
> > The 2018 security fixes instigated many function repairs that
> > $SUBJECT would
> > otherwise instigate.  That wasn't too painful.  The net new pain of
> > $SUBJECT
> > will be less, since the 2018 security fixes prepared the path. 
> > Hence, I
> > remain +1 for the latest Davis proposal.
> 
> I concur.

Based on feedback, I plan to commit soon.

Tom's objection seemed specific to v16, and Robert's concern seemed to
be about having the MAINTAIN privilege without this patch. If I missed
any objections to this patch, please let me know.

If we hear about breakage that suggests we need an escape hatch GUC, we
have time to add one later.

I remain open to considering more complete fixes for the search_path
problems.

Regards,
	Jeff Davis