"David G. Johnston" <david.g.johnston@gmail.com> writes:
> I think serious consideration needs to be given to ways to allow the user
> of pg_dump/pg_restore to choose the prior, less secure, mode of operation.
> IMO the risk surface presented to support back-patching the behavioral
> changes was not severe enough to do so in the first place. I'm presuming
> undoing the back-patch will be shot down without mercy but at least
> consider an escape hatch for unafflicted secure systems that just happen to
> depend on search_path more than a super-hardened system would.
FWIW, in the security team's discussions of CVE-2018-1058, I argued
strenuously in favor of providing a way to run pg_dump/pg_restore with
the system's default search_path as before. I lost the argument;
but maybe the need for features like this shows that we are not really
ready to insist on unconditional security there.
regards, tom lane