open-dsi
/
postgres
mirror of https://github.com/postgres/postgres
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Improve documentation about search_path for SECURITY DEFINER functions.

Browse Source 
Clarify that the reason for recommending that pg_temp be put last is to
prevent temporary tables from capturing unqualified table names.  Per
discussion with Albe Laurenz.

Discussion: <A737B7A37273E048B164557ADEF4A58B5386C6E1@ntex2010i.host.magwien.gv.at>
pull/31/head
Tom Lane 9 years ago
parent 63cfdb8dde
commit ce150e7e0f
1 changed files with 11 additions and 5 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 16
      doc/src/sgml/ref/create_function.sgml

16
doc/src/sgml/ref/create_function.sgml
Unescape View File

@ -750,14 +750,14 @@ SELECT * FROM dup(42);
ensure that the function cannot be misused. For security, ensure that the function cannot be misused. For security,
<xref linkend="guc-search-path"> should be set to exclude any schemas <xref linkend="guc-search-path"> should be set to exclude any schemas
writable by untrusted users. This prevents writable by untrusted users. This prevents
malicious users from creating objects that mask objects used by the malicious users from creating objects (e.g., tables, functions, and
function. Particularly important in this regard is the operators) that mask objects intended to be used by the function.
Particularly important in this regard is the
temporary-table schema, which is searched first by default, and temporary-table schema, which is searched first by default, and
is normally writable by anyone. A secure arrangement can be obtained is normally writable by anyone. A secure arrangement can be obtained
by forcing the temporary schema to be searched last. To do this, by forcing the temporary schema to be searched last. To do this,
write <literal>pg_temp</><indexterm><primary>pg_temp</><secondary>securing functions</></> as the last entry in <varname>search_path</>. write <literal>pg_temp</><indexterm><primary>pg_temp</><secondary>securing functions</></> as the last entry in <varname>search_path</>.
This function illustrates safe usage: This function illustrates safe usage:
</para>
<programlisting> <programlisting>
CREATE FUNCTION check_password(uname TEXT, pass TEXT) CREATE FUNCTION check_password(uname TEXT, pass TEXT)
@ -776,11 +776,17 @@ $$ LANGUAGE plpgsql
SET search_path = admin, pg_temp; SET search_path = admin, pg_temp;
</programlisting> </programlisting>
This function's intention is to access a table <literal>admin.pwds</>.
But without the <literal>SET</> clause, or with a <literal>SET</> clause
mentioning only <literal>admin</>, the function could be subverted by
creating a temporary table named <literal>pwds</>.
</para>
<para> <para>
Before <productname>PostgreSQL</productname> version 8.3, the Before <productname>PostgreSQL</productname> version 8.3, the
<literal>SET</> option was not available, and so older functions may <literal>SET</> clause was not available, and so older functions may
contain rather complicated logic to save, set, and restore contain rather complicated logic to save, set, and restore
<varname>search_path</>. The <literal>SET</> option is far easier <varname>search_path</>. The <literal>SET</> clause is far easier
to use for this purpose. to use for this purpose.
</para> </para>

Write Preview
Loading…
Cancel
Save