Skip site navigation (1) Skip section navigation (2)

Re: BUG #4074: Using SESSION_USER or CURRENT_USER in a view definition is unsafe

From: "Lars E(dot) Olson" <leolson1(at)uiuc(dot)edu>
To: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
Cc: pgsql-bugs(at)postgresql(dot)org
Subject: Re: BUG #4074: Using SESSION_USER or CURRENT_USER in a view definition is unsafe
Date: 2008-03-31 21:58:28
Message-ID: 20080331165828.BDT11356@expms2.cites.uiuc.edu (view raw or flat)
Thread:
Lists: pgsql-bugs
I didn't realize this was a public mailing list, I posted this report at 
http://www.postgresql.org/support/submitbug and thought that it would 
only be reported internally.

I agree with your analysis, although Carol may or may not be aware that 
she is executing any functions at all.  But in any case, Heikki 
Linnakangas' observation that you shouldn't even access untrusted views 
clearly applies here.  Thank you both for your prompt replies.

Tom Lane wrote:
> "Lars Olson" <leolson1(at)uiuc(dot)edu> writes:
>> Creating a view that depends on the value of SESSION_USER enables a
>> minimally-privileged user to write a user-defined function that contains a
>> trojan-horse to get arbitrary data from the base table.
> 
> This example proves nothing except that you shouldn't execute untrusted
> code --- Carol gave up her data by willingly executing Bob's function.
> I don't think that the use of SESSION_USER is particularly to blame.
> There are certainly any number of other ways Bob could have abused
> her trust here.
> 
>> This is highly related to a paper I am preparing for a security conference
>> that I am submitting in two weeks.  Sorry about the short notice, I only
>> just thought of this problem yesterday.  I would like to use this as an
>> example in my paper, but I will not do so without PostgreSQL's permission. 
>> Please advise.
> 
> If this were a security issue, you already spilled the beans by
> reporting it to a public mailing list; so I'm unsure what you are
> concerned about.
> 
> 			regards, tom lane


pgsql-bugs by date

Next:From: Dave PageDate: 2008-03-31 22:04:25
Subject: Re: BUG #4074: Using SESSION_USER or CURRENT_USER in a view definition is unsafe
Previous:From: Tom LaneDate: 2008-03-31 21:46:48
Subject: Re: BUG #4074: Using SESSION_USER or CURRENT_USER in a view definition is unsafe

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group