pgsql: Fix search_path to a safe value during maintenance operations.

Поиск
Список
Период
Сортировка
От Jeff Davis
Тема pgsql: Fix search_path to a safe value during maintenance operations.
Дата
Msg-id E1q7j7Y-000z1H-Hr@gemulon.postgresql.org
обсуждение исходный текст
Ответы Re: pgsql: Fix search_path to a safe value during maintenance operations.
Список pgsql-committers
Дерево обсуждения 
Fix search_path to a safe value during maintenance operations.

While executing maintenance operations (ANALYZE, CLUSTER, REFRESH
MATERIALIZED VIEW, REINDEX, or VACUUM), set search_path to
'pg_catalog, pg_temp' to prevent inconsistent behavior.

Functions that are used for functional indexes, in index expressions,
or in materialized views and depend on a different search path must be
declared with CREATE FUNCTION ... SET search_path='...'.

This change addresses a security risk introduced in commit 60684dd834,
where a role with MAINTAIN privileges on a table may be able to
escalate privileges to the table owner. That commit is not yet part of
any release, so no need to backpatch.

Discussion: https://postgr.es/m/e44327179e5c9015c8dda67351c04da552066017.camel%40j-davis.com
Reviewed-by: Greg Stark
Reviewed-by: Nathan Bossart

Branch
------
master

Details
-------
https://git.postgresql.org/pg/commitdiff/05e17373517114167d002494e004fa0aa32d1fd1

Modified Files
--------------
contrib/amcheck/verify_nbtree.c                             |  2 ++
src/backend/access/brin/brin.c                              |  2 ++
src/backend/catalog/index.c                                 |  8 ++++++++
src/backend/commands/analyze.c                              |  2 ++
src/backend/commands/cluster.c                              |  2 ++
src/backend/commands/indexcmds.c                            |  6 ++++++
src/backend/commands/matview.c                              |  2 ++
src/backend/commands/vacuum.c                               |  2 ++
src/bin/scripts/t/100_vacuumdb.pl                           |  4 ----
src/include/utils/guc.h                                     |  6 ++++++
src/test/modules/test_oat_hooks/expected/test_oat_hooks.out |  4 ++++
src/test/regress/expected/privileges.out                    | 12 ++++++------
src/test/regress/expected/vacuum.out                        |  2 +-
src/test/regress/sql/privileges.sql                         |  8 ++++----
src/test/regress/sql/vacuum.sql                             |  2 +-
15 files changed, 48 insertions(+), 16 deletions(-)

В списке pgsql-committers по дате отправления: