Opened 5 years ago

Closed 19 months ago

Last modified 19 months ago

#4662 closed defect (wontfix)

[raster] Fully qualify postgis types in SPI_execute calls

Reported by: Algunenano Owned by: pramsey
Priority: medium Milestone: PostGIS 3.4.0
Component: raster Version: 2.4.x
Keywords: Cc:

Description

Related to https://trac.osgeo.org/postgis/ticket/4661

There are multiple instances where raster SPI_calls do not schem qualify internal objects (Postgis functions, spatial_ref_sys and so on) so it might fail to find it if the schema holding them is not in the search_path (usually when the function is not installed in public or being used through FDW).

Change History (13)

comment:1 by robe, 5 years ago

Milestone: PostGIS 2.3.11PostGIS 2.4.9

I think this change is too invasive to make for the last release of PostGIS 2.3 so going to push to a future PostGIS 2.4.

comment:2 by robe, 5 years ago

Milestone: PostGIS 2.4.9PostGIS 2.3.11
Resolution: wontfix
Status: newclosed

Actually looks like this has already been done for 2.4, so I'm just going to close this out as won't fix.

comment:3 by Algunenano, 5 years ago

Milestone: PostGIS 2.3.11PostGIS 2.4.9
Resolution: wontfix
Status: closedreopened
Version: 2.3.x2.4.x

There are still at least 2 issues still in raster code:

  • rtpg_internal.c is using spatial_ref_sys.
  • rtpg_statistics.c is calling _st_summarystats multiple times without the schema.

These 2 inner calls will fail if the Postgis functions are not available in the search_path, which might happen if you've moved the extension of always if you are calling them through FDW (where only pg_temp is in the search_path).

comment:4 by robe, 5 years ago

worth fixing? Wanted to release 2.4 this Friday.

comment:5 by robe, 4 years ago

Milestone: PostGIS 2.4.9PostGIS 3.0.3

comment:6 by robe, 4 years ago

Milestone: PostGIS 3.0.3PostGIS 3.0.4

comment:7 by robe, 3 years ago

Milestone: PostGIS 3.0.4PostGIS 2.4.10

comment:8 by robe, 3 years ago

Milestone: PostGIS 2.4.10PostGIS 3.3.0

comment:9 by robe, 3 years ago

Owner: changed from dustymugs to pramsey
Status: reopenednew

comment:10 by robe, 2 years ago

Milestone: PostGIS 3.3.0PostGIS 3.4.0

comment:11 by pramsey, 19 months ago

Resolution: wontfix
Status: newclosed

Going to just leave this outstanding until an operational issue gets reported.

comment:12 by strk, 19 months ago

Isn't this actually a security issue ?

comment:13 by robe, 19 months ago

Not really because all the functions we have that call into our spis are security invoker and they don't get called during install.

Note: See TracTickets for help on using tickets.