Opened 13 months ago
Closed 11 months ago
#5150 closed defect (fixed)
postgis_extension_AddToSearchPath should take input as text instead of varchar, helpers should use CREATE FUNCTION
|Reported by:||robe||Owned by:||robe|
Description (last modified by )
This is a security change.
It is possible for a user to create a function postgis_extension_AddToSearchPath(text) in the same schema as the
postgis_extension_AddToSearchPath(varchar) we defined.
This could allow a rogue user to have their version of function run during extension create/updates instead of the one we ship.
Also as general best practice we should use CREATE FUNCTION instead of CREATE OR REPLACE FUNCTION. We can easily change for the helper functions since they are created as part of install and then dropped after.
Change History (5)
comment:1 by , 13 months ago
|Summary:||postgis_extension_AddToSearchPath should take input as text instead of varchar → postgis_extension_AddToSearchPath should take input as text instead of varchar, helpers should use CREATE FUNCTION|
comment:2 by , 13 months ago
comment:3 by , 13 months ago
comment:4 by , 11 months ago
comment:5 by , 11 months ago
|Status:||assigned → closed|