Re: Addressing SECURITY DEFINER Function Vulnerabilities in PostgreSQL Extensions
Ashutosh Sharma <ashu.coek88@gmail.com>
From: Ashutosh Sharma <ashu.coek88@gmail.com>
To: Alexander Kukushkin <cyberdemn@gmail.com>
Cc: Jelte Fennema-Nio <postgres@jeltef.nl>, Jeff Davis <pgsql@j-davis.com>, Ashutosh Bapat <ashutosh.bapat.oss@gmail.com>,
pgsql-hackers <pgsql-hackers@postgresql.org>
Date: 2024-06-11T13:27:16Z
Lists: pgsql-hackers
Hi Alexander, On Tue, Jun 11, 2024 at 6:26 PM Alexander Kukushkin <cyberdemn@gmail.com> wrote: > > Hi, > > On Tue, 11 Jun 2024 at 14:50, Ashutosh Sharma <ashu.coek88@gmail.com> wrote: >> >> If the author has configured the search_path for any desired function, >> using this option with the CREATE EXTENSION command will not affect >> those functions. > > > Then effectively this feature is useless. > Now attackers can just set search_path for the current session. > With this feature they will also be able to influence search_path of not protected functions when they create an extension. > Apologies for any confusion, but I'm not entirely following your explanation. Could you kindly provide further clarification? Additionally, would you mind reviewing the problem description outlined in the initial email? -- With Regards, Ashutosh Sharma.