| From: | Peter Eisentraut <peter(at)eisentraut(dot)org> |
|---|---|
| To: | Feike Steenbergen <feikesteenbergen(at)gmail(dot)com>, PostgreSQL mailing lists <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: pg18: Virtual generated columns are not (yet) safe when superuser selects from them |
| Date: | 2025-06-05 10:49:08 |
| Message-ID: | 59664625-e019-440a-b69e-16d092699779@eisentraut.org |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On 23.05.25 10:43, Feike Steenbergen wrote:
> Attached is a sample exploit, that achieves this, key components:
>
> - the GENERATED column uses a user defined immutable function
> - this immutable function cannot ALTER ROLE (needs volatile)
> - therefore this immutable function calls a volatile function
> - the volatile function can contain any security exploit
I propose to address this by not allowing the use of user-defined
functions in generation expressions for now. The attached patch
implements this. This assumes that all built-in functions are
trustworthy, for this purpose, which seems likely true and likely desirable.
I think the feature is still useful like that, and this approach
provides a path to add new functionality in the future that grows this
set of allowed functions, for example by allowing some configurable set
of "trusted" functions or whatever.
| Attachment | Content-Type | Size |
|---|---|---|
| 0001-Restrict-virtual-columns-to-use-built-in-functions.patch | text/plain | 8.0 KB |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Peter Eisentraut | 2025-06-05 11:14:48 | Re: Possibly hard-to-read message |
| Previous Message | Nisha Moond | 2025-06-05 10:45:14 | Re: Fix slot synchronization with two_phase decoding enabled |