On Sat, Nov 6, 2010 at 11:36 AM, Tom Lane <tgl@sss.pgh.pa.us> wrote:
> Martijn van Oosterhout <kleptog@svana.org> writes:
>> On Fri, Nov 05, 2010 at 09:01:50PM -0400, Robert Haas wrote:
>>> I see that there could be a problem here with SECURITY DEFINER
>>> functions, but I'm not clear whether it goes beyond that?
>
>> IIRC correctly it's because even unpriveledged users can make things in
>> the pg_temp schema and it's implicitly at the front of the search_path.
>> There was a CVE about this a while back, no?
>
> Yeah, we changed that behavior as part of the fix for CVE-2007-2138.
> You'd need either SECURITY DEFINER functions or very careless use of
> SET ROLE/SET SESSION AUTHORIZATION for the issue to be exploitable.
Would it be practical to let foo() potentially mean pg_temp.foo()
outside of any SECURITY DEFINER context?
--
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company