| From: | Pavel Stehule <pavel(dot)stehule(at)gmail(dot)com> |
|---|---|
| To: | Peter Eisentraut <peter(at)eisentraut(dot)org> |
| Cc: | Feike Steenbergen <feikesteenbergen(at)gmail(dot)com>, PostgreSQL mailing lists <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: pg18: Virtual generated columns are not (yet) safe when superuser selects from them |
| Date: | 2025-06-05 11:33:42 |
| Message-ID: | CAFj8pRC0quqJr-eR5i1c40g+QpT4Tvr9MfZgF44Rt0q++3d6dQ@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
čt 5. 6. 2025 v 12:49 odesílatel Peter Eisentraut <peter(at)eisentraut(dot)org>
napsal:
> On 23.05.25 10:43, Feike Steenbergen wrote:
> > Attached is a sample exploit, that achieves this, key components:
> >
> > - the GENERATED column uses a user defined immutable function
> > - this immutable function cannot ALTER ROLE (needs volatile)
> > - therefore this immutable function calls a volatile function
> > - the volatile function can contain any security exploit
>
> I propose to address this by not allowing the use of user-defined
> functions in generation expressions for now. The attached patch
> implements this. This assumes that all built-in functions are
> trustworthy, for this purpose, which seems likely true and likely
> desirable.
>
> I think the feature is still useful like that, and this approach
> provides a path to add new functionality in the future that grows this
> set of allowed functions, for example by allowing some configurable set
> of "trusted" functions or whatever.
>
+1
Regards
Pavel
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Peter Eisentraut | 2025-06-05 11:47:03 | Re: [PATCH] Split varlena.c into varlena.c and bytea.c |
| Previous Message | Dagfinn Ilmari Mannsåker | 2025-06-05 11:22:58 | Re: add function for creating/attaching hash table in DSM registry |