Re: Fixes for missing schema qualifications

From: David Steele <david(at)pgmasters(dot)net>
To: Michael Paquier <michael(at)paquier(dot)xyz>, Postgres hackers <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: Fixes for missing schema qualifications
Date: 2018-03-09 14:35:22
Views: Raw Message | Whole Thread | Download mbox | Resend email
Lists: pgsql-hackers

On 3/9/18 2:55 AM, Michael Paquier wrote:
> In light of CVE-2018-1058, user's applications need to be careful about
> the use of schema-unqualified queries. A lookup at the upstream code is
> showing four areas which are missing such handling:
> - psql has one problem in get_create_object_cmd which misses twice to
> qualify array_remove().
> - isolationtester is missing one for a call to pg_backend_pid()
> - information_schema.sql has one problem as well: the function
> _pg_interval_type does not qualify upper(). Please note that there is
> no need to care about view's bodies because those use OID references, so
> only the function body need to be taken care of.
> - worker_spi scans pg_namespace and uses count() without schema
> qualification.
> Attached is a patch which fixes all four of them, and which should be
> back-patched. For information_schema.sql, users can always replace the
> body of the function by redefining them (using SET search_path in CREATE
> FUNCTION would work as well however this is more costly than a simple
> qualification).

These look sane to me. Did you check the back branches for anything
that might not exist in HEAD?


In response to


Browse pgsql-hackers by date

  From Date Subject
Next Message Tom Lane 2018-03-09 14:47:29 Re: Testbed for predtest.c ... and some arguable bugs therein
Previous Message Magnus Hagander 2018-03-09 14:06:21 Re: disable SSL compression?