Re: BUG #4074: Using SESSION_USER or CURRENT_USER in a view definition is unsafe

"Lars Olson" <leolson1(at)uiuc(dot)edu> writes:
> Creating a view that depends on the value of SESSION_USER enables a
> minimally-privileged user to write a user-defined function that contains a
> trojan-horse to get arbitrary data from the base table.

This example proves nothing except that you shouldn't execute untrusted
code --- Carol gave up her data by willingly executing Bob's function.
I don't think that the use of SESSION_USER is particularly to blame.
There are certainly any number of other ways Bob could have abused
her trust here.

> This is highly related to a paper I am preparing for a security conference
> that I am submitting in two weeks. Sorry about the short notice, I only
> just thought of this problem yesterday. I would like to use this as an
> example in my paper, but I will not do so without PostgreSQL's permission.
> Please advise.

If this were a security issue, you already spilled the beans by
reporting it to a public mailing list; so I'm unsure what you are
concerned about.

regards, tom lane