Re: Fixes for missing schema qualifications
От | David Steele |
---|---|
Тема | Re: Fixes for missing schema qualifications |
Дата | |
Msg-id | f48a5be4-77ea-88f6-86e4-fa82babc43fe@pgmasters.net обсуждение исходный текст |
Ответ на | Fixes for missing schema qualifications (Michael Paquier <michael@paquier.xyz>) |
Ответы |
Re: Fixes for missing schema qualifications
|
Список | pgsql-hackers |
On 3/9/18 2:55 AM, Michael Paquier wrote: > > In light of CVE-2018-1058, user's applications need to be careful about > the use of schema-unqualified queries. A lookup at the upstream code is > showing four areas which are missing such handling: > - psql has one problem in get_create_object_cmd which misses twice to > qualify array_remove(). > - isolationtester is missing one for a call to pg_backend_pid() > - information_schema.sql has one problem as well: the function > _pg_interval_type does not qualify upper(). Please note that there is > no need to care about view's bodies because those use OID references, so > only the function body need to be taken care of. > - worker_spi scans pg_namespace and uses count() without schema > qualification. > > Attached is a patch which fixes all four of them, and which should be > back-patched. For information_schema.sql, users can always replace the > body of the function by redefining them (using SET search_path in CREATE > FUNCTION would work as well however this is more costly than a simple > qualification). These look sane to me. Did you check the back branches for anything that might not exist in HEAD? Regards, -- -David david@pgmasters.net
В списке pgsql-hackers по дате отправления: