Re: Addressing SECURITY DEFINER Function Vulnerabilities in PostgreSQL Extensions

Robert Haas <robertmhaas@gmail.com>

From: Robert Haas <robertmhaas@gmail.com>
To: Ashutosh Sharma <ashu.coek88@gmail.com>
Cc: Jeff Davis <pgsql@j-davis.com>, John H <johnhyvr@gmail.com>, Alexander Kukushkin <cyberdemn@gmail.com>, Jelte Fennema-Nio <postgres@jeltef.nl>, Ashutosh Bapat <ashutosh.bapat.oss@gmail.com>, pgsql-hackers <pgsql-hackers@postgresql.org>
Date: 2024-07-16T16:09:51Z
Lists: pgsql-hackers
On Tue, Jul 16, 2024 at 1:55 AM Ashutosh Sharma <ashu.coek88@gmail.com> wrote:
> Just to confirm, are you suggesting to remove the protected flag and
> set the default search_path (as $extension_schema,) for all functions
> within an extension where no explicit search_path is set?

No, I'm not saying that. In fact I'm not sure we should have the
protected flag at all.

> In addition
> to that, also allow users to explicitly set $extension_schema as the
> search_path and bypass resolution of $extension_schema for objects
> outside the extension?

Yes, I'm saying that.

-- 
Robert Haas
EDB: http://www.enterprisedb.com