Re: Addressing SECURITY DEFINER Function Vulnerabilities in PostgreSQL Extensions
Ashutosh Sharma <ashu.coek88@gmail.com>
From: Ashutosh Sharma <ashu.coek88@gmail.com>
To: Jelte Fennema-Nio <postgres@jeltef.nl>
Cc: Jeff Davis <pgsql@j-davis.com>,
Ashutosh Bapat <ashutosh.bapat.oss@gmail.com>, pgsql-hackers <pgsql-hackers@postgresql.org>
Date: 2024-06-11T12:49:56Z
Lists: pgsql-hackers
Hi, On Tue, Jun 11, 2024 at 5:02 PM Jelte Fennema-Nio <postgres@jeltef.nl> wrote: > > On Tue, 11 Jun 2024 at 11:54, Ashutosh Sharma <ashu.coek88@gmail.com> wrote: > > 1) Extends the CREATE EXTENSION command to support a new option, SET > > SEARCH_PATH. > > > I don't think it makes sense to add such an option to CREATE EXTENSION. > I feel like such a thing should be part of the extension control file > instead. That way the extension author controls the search path, not > the person that installs the extension. If the author has configured the search_path for any desired function, using this option with the CREATE EXTENSION command will not affect those functions. -- With Regards, Ashutosh Sharma.