>>>>> "Tom" == Tom Lane <tgl@sss.pgh.pa.us> writes:
>> Tom, could you please elaborate where you see a security hole?
Tom> The problem that we've seen in the past shows up when the userTom> lies in the CREATE TYPE command, specifying
typerepresentationTom> properties that are different from what the underlying functionsTom> expect. In particular, if
it'spossible to pass a pass-by-valueTom> integer to a function that's expecting a pass-by-referenceTom> datum, you can
misusethe function to access backend memory.
It strikes me that type output functions are routinely invoked by
superusers (e.g. during pg_dump), and therefore if a non-superuser can
create a type, that seems to imply that there's no way for a superuser
to safely examine or dump the content of the database without risking
the execution of untrusted code, correct?
--
Andrew (irc:RhodiumToad)