Re: Fixes for missing schema qualifications

On 3/9/18 2:55 AM, Michael Paquier wrote:
> 
> In light of CVE-2018-1058, user's applications need to be careful about
> the use of schema-unqualified queries.  A lookup at the upstream code is
> showing four areas which are missing such handling:
> - psql has one problem in get_create_object_cmd which misses twice to
> qualify array_remove().
> - isolationtester is missing one for a call to pg_backend_pid()
> - information_schema.sql has one problem as well: the function
> _pg_interval_type does not qualify upper().  Please note that there is
> no need to care about view's bodies because those use OID references, so
> only the function body need to be taken care of.
> - worker_spi scans pg_namespace and uses count() without schema
> qualification.
> 
> Attached is a patch which fixes all four of them, and which should be
> back-patched.  For information_schema.sql, users can always replace the
> body of the function by redefining them (using SET search_path in CREATE
> FUNCTION would work as well however this is more costly than a simple
> qualification).

These look sane to me.  Did you check the back branches for anything
that might not exist in HEAD?

Regards,
-- 
-David
david@pgmasters.net