Re: Addressing SECURITY DEFINER Function Vulnerabilities in PostgreSQL Extensions
Jeff Davis <pgsql@j-davis.com>
From: Jeff Davis <pgsql@j-davis.com>
To: Ashutosh Bapat <ashutosh.bapat.oss@gmail.com>, Ashutosh Sharma <ashu.coek88@gmail.com>
Cc: pgsql-hackers <pgsql-hackers@postgresql.org>
Date: 2024-06-12T19:10:29Z
Lists: pgsql-hackers
On Wed, 2024-06-12 at 12:13 +0530, Ashutosh Bapat wrote: > > Alternatively, we could leverage the extension dependency > > information > > to determine whether the function is created by an extension or > > not. > > That will be simpler. We do that sort of thing for identity > sequences. So there's a precedent to do that kind of stuff. I did not look at the details, but +1 for using information we already have. There's a little bit of extra work to resolve it, but thanks to the search_path cache it should only need to be done once per unique search_path setting per session. Regards, Jeff Davis