| From: | Noah Misch <noah(at)leadboat(dot)com> |
|---|---|
| To: | pgsql-docs(at)postgresql(dot)org |
| Cc: | jkatz(at)postgresql(dot)org |
| Subject: | Documenting safe practices for qualified function calls |
| Date: | 2018-07-21 01:24:46 |
| Message-ID: | 20180721012446.GA1840594@rfd.leadboat.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-docs |
The CVE-2018-1058 documentation change, commit 5770172, directed readers to
secure their schema usage patterns. That made secure their use of unqualified
function and operator names. Sometimes one wishes to call an object outside
search_path via a qualified name. That has its own security considerations,
which we hadn't documented to the same degree. The security team discussed
this and concluded that the lack of documentation did not itself constitute a
security flaw. I did prepare the attached patch, which Jonathan Katz
reviewed. I'm posting it here in case anyone else wishes to review it.
Thanks,
nm
| Attachment | Content-Type | Size |
|---|---|---|
| overload-func-doc-v3.patch | text/plain | 14.2 KB |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Jürgen Purtz | 2018-07-22 19:46:31 | Re: Images in the official documentation |
| Previous Message | Pavel Golub | 2018-07-20 16:14:13 | Re: Images in the official documentation |