Re: BUG #19523: psql tab-completion shadows pg_db_role_setting

From: Kirill Reshke <reshkekirill(at)gmail(dot)com>
To: Vismay Tiwari <vismay(dot)t(at)gmail(dot)com>
Cc: PostgreSQL mailing lists <pgsql-bugs(at)lists(dot)postgresql(dot)org>
Subject: Re: BUG #19523: psql tab-completion shadows pg_db_role_setting
Date: 2026-07-10 04:49:10
Message-ID: CALdSSPiAmy3ZoUyRXMqFazm0D0b1Y4oMhUKVpXwSBhrDh+odew@mail.gmail.com
Views: Whole Thread | Raw Message | Download mbox | Resend email
Thread:
Lists: pgsql-bugs

Hi! You seem to create two threads on the issue, so I don't quite
understand where to respond. anyway:

On Thu, 9 Jul 2026, 15:14 Vismay Tiwari, <vismay(dot)t(at)gmail(dot)com> wrote:

> Hi,
>
> Reproduced on current master. The tab-completion query for
> "ALTER DATABASE ... RESET" (Query_for_list_of_database_vars) references
> pg_db_role_setting and pg_database without a pg_catalog qualification, so a
> same-named table earlier in search_path shadows the catalog:
>
> CREATE SCHEMA attacker;
> CREATE TABLE attacker.pg_db_role_setting (setdatabase oid, setrole
> oid, setconfig text[]);
> INSERT INTO attacker.pg_db_role_setting
> SELECT oid, 0, ARRAY['evil_var=x'] FROM pg_database WHERE
> datname = 'postgres';
> SET search_path = attacker, pg_catalog;
> -- "ALTER DATABASE postgres RESET <TAB>" then offers evil_var
>
>
Preventing this makes sense in case somebody accidentally misconfigured
their server. Which is not very probable for a table with `
pg_db_role_setting` name.
Also note that this is not a vulnerability: from
https://www.postgresql.org/docs/current/app-psql.html says:

If untrusted users have access to a database that has not adopted a secure
schema usage pattern, begin your session by removing publicly-writable
schemas from search_path.

Anyway +1 on fixing

In response to

Responses

Browse pgsql-bugs by date

  From Date Subject
Next Message Vismay Tiwari 2026-07-10 05:51:36 Re: BUG #19523: psql tab-completion shadows pg_db_role_setting
Previous Message Ayush Tiwari 2026-07-09 14:48:19 Re: REVOKE's CASCADE protection doesn't work with INHERITed table owners