Opened 2 years ago

Closed 21 months ago

#5069 closed defect (fixed)

Schema qualify pg_catalog functions and tables

Reported by: robe Owned by: robe
Priority: medium Milestone: PostGIS 2.4.10
Component: build Version: 2.4.x
Keywords: Cc:

Description

To better protect against https://wiki.postgresql.org/wiki/A_Guide_to_CVE-2018-1058:_Protect_Your_Search_Path

during PostGIS install and upgrade.

The focus is on CREATE EXTENSION / select postgis_extensions_upgrade() / ALTER EXTENSION

I think the tables to change are not necessary, although in theory we should be since someone could define such tables in the schema they install postgis (like a view that calls a function). I will be replacing these as well to prevent a rogue actor forcing some change by replacing key tables/views in pg_catalog.

Sadly I think this changes quite a few files.

Change History (10)

comment:3 by Regina Obe <lr@…>, 2 years ago

In e3921ac/git:

search_path vulnerability during install. References #5069 for PostGIS 3.1.5

comment:4 by Regina Obe <lr@…>, 2 years ago

In 2d3e08b9/git:

More missed spots. References #5069 for PostGIS 3.1.5

comment:5 by Regina Obe <lr@…>, 2 years ago

In 7e88a07/git:

Search path vulnerability during install/upgrade. References #5069 for PostGIS 3.0.5

comment:6 by Regina Obe <lr@…>, 2 years ago

In 539761b6/git:

Search_path vulnerability during install. References #5069 for PostGIS 2.5.6

comment:7 by Regina Obe <lr@…>, 2 years ago

In 4834a9f/git:

search_path vulnerability during install/upgrade.
References #5069 for PostGIS 3.2.1

comment:8 by Regina Obe <lr@…>, 2 years ago

In 0b67924/git:

search_path vulnerability during install. References #5069

comment:9 by pramsey, 21 months ago

Close?

comment:10 by robe, 21 months ago

Resolution: fixed
Status: assignedclosed
Note: See TracTickets for help on using tickets.