On 03/15/2018 04:00 PM, Foolish Ewe wrote:
> Hello All:
>
> A number of our team members and I use pg_dump to export schema in an
> Ubuntu 16.04 environment, I happen to have a postgress 9.6.4 server
> that runs in a docker container, and in some cases I see the following
> select statement and fully qualified table names in the
> CREATE TABLE and ALTER TABLE statements:
>
> SELECT pg_catalog.set_config('search_path', '', false);
>
> CREATE TABLE database_name.table_name
I am pretty sure you are actually seeing:
CREATE TABLE schema_name.table_name
>
> and likewise for ALTER TABLE.
>
> But other users (who haven't updated their systems recently) do not see
> the SELECT statement and we see unqualified table names, e.g.:
>
>
> CREATE TABLE table_name
>
>
> These changes in format impact our workflows, we would prefer to have
> unqualified table names.
>
>
> Does anyone have an idea of what might cause this? Is there something
> we can do on the client side to avoid getting qualified table names?
The reason:
https://www.postgresql.org/about/news/1834/
"The purpose of this release is to address CVE-2018-1058, which
describes how a user can create like-named objects in different schemas
that can change the behavior of other users' queries and cause
unexpected or malicious behavior, also known as a "trojan-horse" attack. "
More information
https://wiki.postgresql.org/wiki/A_Guide_to_CVE-2018-1058:_Protect_Your_Search_Path
There is no flag to unset this.
>
> With best regards:
>
> Bill
>
>
>
--
Adrian Klaver
adrian.klaver@aklaver.com