Skip site navigation (1) Skip section navigation (2)

Re: BUG #4074: Using SESSION_USER or CURRENT_USER in a view definition is unsafe

From: Heikki Linnakangas <heikki(at)enterprisedb(dot)com>
To: Lars Olson <leolson1(at)uiuc(dot)edu>
Cc: pgsql-bugs(at)postgresql(dot)org
Subject: Re: BUG #4074: Using SESSION_USER or CURRENT_USER in a view definition is unsafe
Date: 2008-03-31 21:36:54
Message-ID: 47F15976.50007@enterprisedb.com (view raw or flat)
Thread:
Lists: pgsql-bugspgsql-www
Lars Olson wrote:
> Creating a view that depends on the value of SESSION_USER enables a
> minimally-privileged user to write a user-defined function that contains a
> trojan-horse to get arbitrary data from the base table.  Using CURRENT_USER
> instead still enables a similar vulnerability.
> 
> To reproduce the problem, create three users, alice (base table owner), bob
> (attacker), and carol (other minimally-privileged user).  As Alice, create
> the following table and view:
> ...

This seems to be an instance of the general trojan-horse problem 
discussed here:

http://archives.postgresql.org/pgsql-hackers/2008-01/msg00268.php

In a nutshell, it's just not safe to access a view or function owned by 
a user you don't trust. :-(

-- 
   Heikki Linnakangas
   EnterpriseDB   http://www.enterprisedb.com

In response to

pgsql-www by date

Next:From: Tom LaneDate: 2008-03-31 21:46:48
Subject: Re: BUG #4074: Using SESSION_USER or CURRENT_USER in a view definition is unsafe
Previous:From: Lars OlsonDate: 2008-03-31 20:55:48
Subject: BUG #4074: Using SESSION_USER or CURRENT_USER in a view definition is unsafe

pgsql-bugs by date

Next:From: Tom LaneDate: 2008-03-31 21:41:23
Subject: Re: BUG #4073: ERROR: invalid input syntax for type timestamp: "Sat Mar 29 04:47:06 WEST 2008"
Previous:From: Heikki LinnakangasDate: 2008-03-31 21:06:38
Subject: Re: BUG #4073: ERROR: invalid input syntax for type timestamp: "Sat Mar 29 04:47:06 WEST 2008"

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group