| From: | Stephen Frost <sfrost(at)snowman(dot)net> |
|---|---|
| To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: Fixing insecure security definer functions |
| Date: | 2007-05-29 02:38:51 |
| Message-ID: | 20070529023851.GP7531@tamriel.snowman.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
* Tom Lane (tgl(at)sss(dot)pgh(dot)pa(dot)us) wrote:
> I would like to fix this for 8.3. I don't have a patch yet but want
> to get buy-in on a design before feature freeze. I propose the
> following, fully-backward-compatible design:
[...]
> Comments?
In talking w/ Jeff Davis on IRC today, another thought occurred to us at
about the same time when thinking about this PATH option to CREATE
FUNCTION in relation to packages (in this specific case, PostGIS).
It would be useful to have a function which could be passed a relative
(to the caller's search path) object name and would return the fully
qualified name of that object. In this way, functions could be written
which take relative arguments from the user but *only* those explicitly
checked for.
ie:
CREATE FUNCTION myfunc(text) RETURNS NULL AS
$_$
declate
relative_name alias for $1;
full_name text;
myval int;
begin;
full_name := pg_getfullpath(relative_name);
myval := select val from full_name;
end;
$_$
WITH PATH 'pkg_schema,pg_catalog'
LANG 'plpgsql';
Personally, I really like this idea and it'd handle the specific
use-cases I was expecting to have to use 'PATH NONE' for, but in a much
better, cleaner and clearer way.
On the flip side, I'm not sure how easy that's going to be to get given
the implementation you were describing...
Thanks,
Stephen
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2007-05-29 02:45:28 | Re: Fixing insecure security definer functions |
| Previous Message | Tom Lane | 2007-05-29 02:30:38 | Re: CREATE TABLE LIKE INCLUDING INDEXES support |