Re: Addressing SECURITY DEFINER Function Vulnerabilities in PostgreSQL Extensions
Jeff Davis <pgsql@j-davis.com>
From: Jeff Davis <pgsql@j-davis.com>
To: Ashutosh Sharma <ashu.coek88@gmail.com>
Cc: Ashutosh Bapat <ashutosh.bapat.oss@gmail.com>, pgsql-hackers <pgsql-hackers@postgresql.org>
Date: 2024-06-11T21:37:11Z
Lists: pgsql-hackers
On Tue, 2024-06-11 at 15:24 +0530, Ashutosh Sharma wrote: > 3) When the ALTER EXTENSION SET SCHEMA command is executed and if the > function's search_path contains the old schema of the extension, it > is > updated with the new schema. I don't think it's reasonable to search-and-replace within a function's SET clause at ALTER time. I believe we need a new special search_path item, like "$extension_schema", to mean the schema of the extension owning the function. It would, like "$user", automatically adjust to the current value when changed. That sounds like a useful and non-controversial change. Regards, Jeff Davis