Re: Addressing SECURITY DEFINER Function Vulnerabilities in PostgreSQL Extensions

Alexander Kukushkin <cyberdemn@gmail.com>

From: Alexander Kukushkin <cyberdemn@gmail.com>
To: Ashutosh Sharma <ashu.coek88@gmail.com>
Cc: Jelte Fennema-Nio <postgres@jeltef.nl>, Jeff Davis <pgsql@j-davis.com>, Ashutosh Bapat <ashutosh.bapat.oss@gmail.com>, pgsql-hackers <pgsql-hackers@postgresql.org>
Date: 2024-06-11T12:56:26Z
Lists: pgsql-hackers
Hi,

On Tue, 11 Jun 2024 at 14:50, Ashutosh Sharma <ashu.coek88@gmail.com> wrote:

> If the author has configured the search_path for any desired function,
> using this option with the CREATE EXTENSION command will not affect
> those functions.
>

Then effectively this feature is useless.
Now attackers can just set search_path for the current session.
With this feature they will also be able to influence search_path of not
protected functions when they create an extension.

Regards,
--
Alexander Kukushkin