Обсуждение: Schema-qualify function calls in information_schema
Folks, It's possible to arrange for schemas to precede pg_catalog and information_schema in a search_path setting, and when that's done, hilarity can ensue, especially when someone has created functions with identical signatures but non-identical behavior. People who do that should probably be presumed to be attackers, but it's conceivable that such hilarity could merely be poor judgement combined with buggy code. Please find attached a patch against master to do $Subject, which tones down the hilarity, at least in information_schema. I did not attempt to go through and make sure that functions calls are schema-qualified all through the back-end, but that seems like a worthwhile project on grounds of reducing the search_path attack surface. Another way to fix this, which I know will be controversial, is simply to mandate that pg_catalog (and possibly information_schema) be non-changeably first in the search_path. What say? Best, David. -- David Fetter <david(at)fetter(dot)org> http://fetter.org/ Phone: +1 415 235 3778 Remember to vote! Consider donating to Postgres: http://www.postgresql.org/about/donate
Вложения
David Fetter <david@fetter.org> writes: > Please find attached a patch against master to do $Subject, which > tones down the hilarity, at least in information_schema. The views do not need this sort of change, because they're parsed only once during initdb. The bodies of functions in information_schema do need qualification, but I think they've already got it, or at least I remember having looked through them for the issue in the past. > Another way to fix this, which I know will be controversial, is simply > to mandate that pg_catalog (and possibly information_schema) be > non-changeably first in the search_path. I think that ship sailed long ago. It might be workable to attach "SET search_path" clauses to the functions, if you want to make them more bulletproof. regards, tom lane