From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
---|---|
To: | "Lars Olson" <leolson1(at)uiuc(dot)edu> |
Cc: | pgsql-bugs(at)postgresql(dot)org |
Subject: | Re: BUG #4074: Using SESSION_USER or CURRENT_USER in a view definition is unsafe |
Date: | 2008-03-31 21:46:48 |
Message-ID: | 24862.1207000008@sss.pgh.pa.us |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-bugs pgsql-www |
"Lars Olson" <leolson1(at)uiuc(dot)edu> writes:
> Creating a view that depends on the value of SESSION_USER enables a
> minimally-privileged user to write a user-defined function that contains a
> trojan-horse to get arbitrary data from the base table.
This example proves nothing except that you shouldn't execute untrusted
code --- Carol gave up her data by willingly executing Bob's function.
I don't think that the use of SESSION_USER is particularly to blame.
There are certainly any number of other ways Bob could have abused
her trust here.
> This is highly related to a paper I am preparing for a security conference
> that I am submitting in two weeks. Sorry about the short notice, I only
> just thought of this problem yesterday. I would like to use this as an
> example in my paper, but I will not do so without PostgreSQL's permission.
> Please advise.
If this were a security issue, you already spilled the beans by
reporting it to a public mailing list; so I'm unsure what you are
concerned about.
regards, tom lane
From | Date | Subject | |
---|---|---|---|
Next Message | Lars E. Olson | 2008-03-31 21:58:28 | Re: BUG #4074: Using SESSION_USER or CURRENT_USER in a view definition is unsafe |
Previous Message | Tom Lane | 2008-03-31 21:41:23 | Re: BUG #4073: ERROR: invalid input syntax for type timestamp: "Sat Mar 29 04:47:06 WEST 2008" |
From | Date | Subject | |
---|---|---|---|
Next Message | Dave Page | 2008-03-31 22:04:25 | Re: BUG #4074: Using SESSION_USER or CURRENT_USER in a view definition is unsafe |
Previous Message | Heikki Linnakangas | 2008-03-31 21:36:54 | Re: BUG #4074: Using SESSION_USER or CURRENT_USER in a view definition is unsafe |