| From: | David Steele <david(at)pgmasters(dot)net> |
|---|---|
| To: | Michael Paquier <michael(at)paquier(dot)xyz>, Postgres hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Fixes for missing schema qualifications |
| Date: | 2018-03-09 14:35:22 |
| Message-ID: | f48a5be4-77ea-88f6-86e4-fa82babc43fe@pgmasters.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On 3/9/18 2:55 AM, Michael Paquier wrote:
>
> In light of CVE-2018-1058, user's applications need to be careful about
> the use of schema-unqualified queries. A lookup at the upstream code is
> showing four areas which are missing such handling:
> - psql has one problem in get_create_object_cmd which misses twice to
> qualify array_remove().
> - isolationtester is missing one for a call to pg_backend_pid()
> - information_schema.sql has one problem as well: the function
> _pg_interval_type does not qualify upper(). Please note that there is
> no need to care about view's bodies because those use OID references, so
> only the function body need to be taken care of.
> - worker_spi scans pg_namespace and uses count() without schema
> qualification.
>
> Attached is a patch which fixes all four of them, and which should be
> back-patched. For information_schema.sql, users can always replace the
> body of the function by redefining them (using SET search_path in CREATE
> FUNCTION would work as well however this is more costly than a simple
> qualification).
These look sane to me. Did you check the back branches for anything
that might not exist in HEAD?
Regards,
--
-David
david(at)pgmasters(dot)net
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2018-03-09 14:47:29 | Re: Testbed for predtest.c ... and some arguable bugs therein |
| Previous Message | Magnus Hagander | 2018-03-09 14:06:21 | Re: disable SSL compression? |