postgis_extension_AddToSearchPath should take input as text instead of varchar, helpers should use CREATE FUNCTION
|Reported by:||robe||Owned by:||robe|
Description (last modified by )
This is a security change.
It is possible for a user to create a function postgis_extension_AddToSearchPath(text) in the same schema as the
postgis_extension_AddToSearchPath(varchar) we defined.
This could allow a rogue user to have their version of function run during extension create/updates instead of the one we ship.
Also as general best practice we should use CREATE FUNCTION instead of CREATE OR REPLACE FUNCTION. We can easily change for the helper functions since they are created as part of install and then dropped after.
Change History (5)
comment:1 by , 19 months ago
|Summary:||postgis_extension_AddToSearchPath should take input as text instead of varchar → postgis_extension_AddToSearchPath should take input as text instead of varchar, helpers should use CREATE FUNCTION|