Re: BUG #4074: Using SESSION_USER or CURRENT_USER in a view definition is unsafe
- From: Heikki Linnakangas <heikki(at)enterprisedb(dot)com>
- To: Lars Olson <leolson1(at)uiuc(dot)edu>
- Cc: pgsql-bugs(at)postgresql(dot)org
- Subject: Re: BUG #4074: Using SESSION_USER or CURRENT_USER in a view definition is unsafe
- Date: Mon, 31 Mar 2008 22:36:54 +0100
- Message-id: <47F15976.50007@enterprisedb.com> <text/plain>
Lars Olson wrote:
Creating a view that depends on the value of SESSION_USER enables a
minimally-privileged user to write a user-defined function that contains a
trojan-horse to get arbitrary data from the base table. Using CURRENT_USER
instead still enables a similar vulnerability.
To reproduce the problem, create three users, alice (base table owner), bob
(attacker), and carol (other minimally-privileged user). As Alice, create
the following table and view:
...
This seems to be an instance of the general trojan-horse problem
discussed here:
http://archives.postgresql.org/pgsql-hackers/2008-01/msg00268.php
In a nutshell, it's just not safe to access a view or function owned by
a user you don't trust. :-(
--
Heikki Linnakangas
EnterpriseDB http://www.enterprisedb.com
Home |
Main Index |
Thread Index