Re: Fix search_path for all maintenance commands
David G. Johnston <david.g.johnston@gmail.com>
From: "David G. Johnston" <david.g.johnston@gmail.com>
To: Gurjeet Singh <gurjeet@singh.im>
Cc: Jeff Davis <pgsql@j-davis.com>, pgsql-hackers@postgresql.org, Nathan Bossart <nathandbossart@gmail.com>,
Robert Haas <robertmhaas@gmail.com>, Noah Misch <noah@leadboat.com>, Greg Stark <stark@mit.edu>,
Tom Lane <tgl@sss.pgh.pa.us>
Date: 2023-07-13T21:07:27Z
Lists: pgsql-hackers
Commits
Same data as JSON:
GET /api/v1/messages/:b64id/commits
the thread's linked commits as JSON, with link sources.
API reference →
-
Fix search_path to a safe value during maintenance operations.
- 2af07e2f749a 17.0 landed
- 05e173735171 16.0 landed
-
Make relation-enumerating operations be security-restricted operations.
- a117cebd638d 15.0 cited
On Thu, Jul 13, 2023 at 2:00 PM Gurjeet Singh <gurjeet@singh.im> wrote: > On Thu, Jul 13, 2023 at 1:37 PM David G. Johnston > <david.g.johnston@gmail.com> wrote: > > > > I'm against simply breaking the past without any recourse as what we > did for pg_dump/pg_restore still bothers me. > > I'm sure this is tangential, but can you please provide some > context/links to the change you're referring to here. > > Here is the instigating issue and a discussion thread on the aftermath: https://wiki.postgresql.org/wiki/A_Guide_to_CVE-2018-1058%3A_Protect_Your_Search_Path https://www.postgresql.org/message-id/flat/13033.1531517020%40sss.pgh.pa.us#2aa2e25816d899d62f168926e3ff17b1 David J.