Re: Addressing SECURITY DEFINER Function Vulnerabilities in PostgreSQL Extensions

Jeff Davis <pgsql@j-davis.com>

From: Jeff Davis <pgsql@j-davis.com>
To: Alexander Kukushkin <cyberdemn@gmail.com>, Ashutosh Sharma <ashu.coek88@gmail.com>
Cc: Jelte Fennema-Nio <postgres@jeltef.nl>, Ashutosh Bapat <ashutosh.bapat.oss@gmail.com>, pgsql-hackers <pgsql-hackers@postgresql.org>
Date: 2024-06-11T21:31:39Z
Lists: pgsql-hackers
On Tue, 2024-06-11 at 14:56 +0200, Alexander Kukushkin wrote:
> Now attackers can just set search_path for the current session.

IIUC, the proposal is that only the function's "SET" clause can
override the behavior, not a top-level SET command.

Regards,
	Jeff Davis