Documenting safe practices for qualified function calls

From: Noah Misch <noah(at)leadboat(dot)com>
To: pgsql-docs(at)postgresql(dot)org
Cc: jkatz(at)postgresql(dot)org
Subject: Documenting safe practices for qualified function calls
Date: 2018-07-21 01:24:46
Message-ID: 20180721012446.GA1840594@rfd.leadboat.com
Views: Raw Message | Whole Thread | Download mbox
Thread:
Lists: pgsql-docs

The CVE-2018-1058 documentation change, commit 5770172, directed readers to
secure their schema usage patterns. That made secure their use of unqualified
function and operator names. Sometimes one wishes to call an object outside
search_path via a qualified name. That has its own security considerations,
which we hadn't documented to the same degree. The security team discussed
this and concluded that the lack of documentation did not itself constitute a
security flaw. I did prepare the attached patch, which Jonathan Katz
reviewed. I'm posting it here in case anyone else wishes to review it.

Thanks,
nm

Attachment Content-Type Size
overload-func-doc-v3.patch text/plain 14.2 KB

Browse pgsql-docs by date

  From Date Subject
Next Message Jürgen Purtz 2018-07-22 19:46:31 Re: Images in the official documentation
Previous Message Pavel Golub 2018-07-20 16:14:13 Re: Images in the official documentation