Robert Haas <robertmhaas@gmail.com> writes:
> On Sat, Nov 6, 2010 at 11:36 AM, Tom Lane <tgl@sss.pgh.pa.us> wrote:
>> Yeah, we changed that behavior as part of the fix for CVE-2007-2138.
>> You'd need either SECURITY DEFINER functions or very careless use of
>> SET ROLE/SET SESSION AUTHORIZATION for the issue to be exploitable.
> Would it be practical to let foo() potentially mean pg_temp.foo()
> outside of any SECURITY DEFINER context?
Doesn't seem like a particularly good idea for the search semantics
to be randomly different inside a SECURITY DEFINER function. In fact,
I'll bet you could construct an attack in the reverse direction:
S.D. function thinks it is calling a temp function (using syntax that
works fine when not S.D.), but control gets sent to a non-temp function
belonging to $badguy instead.
regards, tom lane