Martijn van Oosterhout <kleptog@svana.org> writes:
> On Fri, Nov 05, 2010 at 09:01:50PM -0400, Robert Haas wrote:
>> I see that there could be a problem here with SECURITY DEFINER
>> functions, but I'm not clear whether it goes beyond that?
> IIRC correctly it's because even unpriveledged users can make things in
> the pg_temp schema and it's implicitly at the front of the search_path.
> There was a CVE about this a while back, no?
Yeah, we changed that behavior as part of the fix for CVE-2007-2138.
You'd need either SECURITY DEFINER functions or very careless use of
SET ROLE/SET SESSION AUTHORIZATION for the issue to be exploitable.
regards, tom lane