Fixes for missing schema qualifications

From: Michael Paquier <michael(at)paquier(dot)xyz>
To: Postgres hackers <pgsql-hackers(at)postgresql(dot)org>
Subject: Fixes for missing schema qualifications
Date: 2018-03-09 07:55:38
Views: Raw Message | Whole Thread | Download mbox | Resend email
Lists: pgsql-hackers

Hi all,

In light of CVE-2018-1058, user's applications need to be careful about
the use of schema-unqualified queries. A lookup at the upstream code is
showing four areas which are missing such handling:
- psql has one problem in get_create_object_cmd which misses twice to
qualify array_remove().
- isolationtester is missing one for a call to pg_backend_pid()
- information_schema.sql has one problem as well: the function
_pg_interval_type does not qualify upper(). Please note that there is
no need to care about view's bodies because those use OID references, so
only the function body need to be taken care of.
- worker_spi scans pg_namespace and uses count() without schema

Attached is a patch which fixes all four of them, and which should be
back-patched. For information_schema.sql, users can always replace the
body of the function by redefining them (using SET search_path in CREATE
FUNCTION would work as well however this is more costly than a simple


Attachment Content-Type Size
0001-Fix-missing-schema-qualifications-in-code.patch text/x-diff 3.6 KB


Browse pgsql-hackers by date

  From Date Subject
Next Message Kyotaro HORIGUCHI 2018-03-09 08:11:16 Re: [PATCH] Improve geometric types
Previous Message Fabien COELHO 2018-03-09 07:40:40 Re: csv format for psql