| From: | "Merlin Moncure" <mmoncure(at)gmail(dot)com> |
|---|---|
| To: | "Tom Lane" <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | "Stephen Frost" <sfrost(at)snowman(dot)net>, "Peter Eisentraut" <peter_e(at)gmx(dot)net>, pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: Fixing insecure security definer functions |
| Date: | 2007-02-16 13:44:18 |
| Message-ID: | b42b73150702160544v6d82ef0du41acbf5823be41f4@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On 2/15/07, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
> "Merlin Moncure" <mmoncure(at)gmail(dot)com> writes:
> > yikes!
>
> > If you guys go through with forcing functions to attach to objects
> > when they are created, it will break almost every project I've ever
> > worked on :(. The schema/function combo fits into all kinds of de
> > facto partitioning strategies and organization methods.
>
> If you read a bit further, I did suggest providing an option to retain
> the current behavior. I don't think it should be the default though.
Yeah, I saw that, but the issue is really deeper, functions that
create functions, etc. changing the default behavior affects how
functions work in a really fundamental way...all pl/pgsql code that
can float over schemas would have to be checked. In the worst case,
this could mean converting large libraries to dynamic sql or creating
thousands of additional functions...ugh.
Maybe there could be a GUC setting(function default function schema
path=current path/path null)? It would seem only appropriate to have
security definer raise a warning/error for path null though. Then we
could debate about how that should be set by default but nobody really
loses that argument.
merlin
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Alvaro Herrera | 2007-02-16 13:59:48 | buildfarm failure in XML code |
| Previous Message | Peter Eisentraut | 2007-02-16 12:19:55 | Re: patch adding new regexp functions |