Re: Re: [GENERAL] [ANNOUNCE] Advisory on possibly insecure security definer functions

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: Tatsuo Ishii <ishii(at)postgresql(dot)org>
Cc: pgsql-hackers(at)postgresql(dot)org, peter_e(at)gmx(dot)net
Subject: Re: Re: [GENERAL] [ANNOUNCE] Advisory on possibly insecure security definer functions
Date: 2007-02-17 18:23:38
Message-ID: 20545.1171736618@sss.pgh.pa.us
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general pgsql-hackers

Tatsuo Ishii <ishii(at)postgresql(dot)org> writes:
> I looked into this more and I think I'm afraid the proposed solution
> actually does not work for SQL functions. For example,

> CREATE OR REPLACE FUNCTION foo(INTEGER, INTEGER) RETURNS INTEGER AS $$
> SET search_path To pg_catalog,public;
> SELECT mod($1,$2);
> $$ LANGUAGE sql SECURITY DEFINER;

> If an attacker creates public.mod() to do something bad and override
> his search_path to public,pg_catalog before executing foo(), his
> attack will succeed since calling to mod() is resolved in the plan
> time thus it will be resolved to public.mod, rather than
> pg_catalog.mod.

True, because the SQL-function code runs parse analysis for the whole
function body before executing any of it. We could fix it by doing
parse-analyze/plan/execute one statement at a time, which would make
SQL functions work more like multi-statement strings submitted by a
client application. Just a day or two ago there was someone complaining
that they couldn't create and use a temp table in the same SQL function,
due to this same behavior; and I recall similar gripes in the past.
Maybe it's time to change it.

regards, tom lane

In response to

Responses

Browse pgsql-general by date

  From Date Subject
Next Message Michael Fuhr 2007-02-17 18:31:19 Re: [ANNOUNCE] Advisory on possibly insecure security definer functions
Previous Message Walter Vaughan 2007-02-17 18:12:28 Re: How would you handle updating an item and related stuff all at once?

Browse pgsql-hackers by date

  From Date Subject
Next Message Tom Lane 2007-02-17 18:28:22 Re: pg_restore fails with a custom backup file
Previous Message Pavan Deolasee 2007-02-17 18:22:24 Re: wishlist items ..