| From: | Ashutosh Sharma <ashu(dot)coek88(at)gmail(dot)com> |
|---|---|
| To: | Jelte Fennema-Nio <postgres(at)jeltef(dot)nl> |
| Cc: | Jeff Davis <pgsql(at)j-davis(dot)com>, Ashutosh Bapat <ashutosh(dot)bapat(dot)oss(at)gmail(dot)com>, pgsql-hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Addressing SECURITY DEFINER Function Vulnerabilities in PostgreSQL Extensions |
| Date: | 2024-06-11 12:49:56 |
| Message-ID: | CAE9k0PkBMY6AXLgC4SdvSKNX5+RJZ3FRAhh1q9+VLPnN56eXZw@mail.gmail.com |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Hi,
On Tue, Jun 11, 2024 at 5:02 PM Jelte Fennema-Nio <postgres(at)jeltef(dot)nl> wrote:
>
> On Tue, 11 Jun 2024 at 11:54, Ashutosh Sharma <ashu(dot)coek88(at)gmail(dot)com> wrote:
> > 1) Extends the CREATE EXTENSION command to support a new option, SET
> > SEARCH_PATH.
>
>
> I don't think it makes sense to add such an option to CREATE EXTENSION.
> I feel like such a thing should be part of the extension control file
> instead. That way the extension author controls the search path, not
> the person that installs the extension.
If the author has configured the search_path for any desired function,
using this option with the CREATE EXTENSION command will not affect
those functions.
--
With Regards,
Ashutosh Sharma.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Alexander Kukushkin | 2024-06-11 12:56:26 | Re: Addressing SECURITY DEFINER Function Vulnerabilities in PostgreSQL Extensions |
| Previous Message | David Rowley | 2024-06-11 12:43:40 | Re: Speed up JSON escape processing with SIMD plus other optimisations |