Opened 3 years ago

Closed 2 years ago

#5150 closed defect (fixed)

postgis_extension_AddToSearchPath should take input as text instead of varchar, helpers should use CREATE FUNCTION

Reported by: robe Owned by: robe
Priority: medium Milestone: PostGIS 2.5.7
Component: build Version: master
Keywords: Cc:

Description (last modified by robe)

This is a security change.

It is possible for a user to create a function postgis_extension_AddToSearchPath(text) in the same schema as the

postgis_extension_AddToSearchPath(varchar) we defined.

This could allow a rogue user to have their version of function run during extension create/updates instead of the one we ship.

Also as general best practice we should use CREATE FUNCTION instead of CREATE OR REPLACE FUNCTION. We can easily change for the helper functions since they are created as part of install and then dropped after.

Change History (5)

comment:1 by robe, 3 years ago

Description: modified (diff)
Summary: postgis_extension_AddToSearchPath should take input as text instead of varcharpostgis_extension_AddToSearchPath should take input as text instead of varchar, helpers should use CREATE FUNCTION

comment:2 by Regina Obe <lr@…>, 3 years ago

In c356da3/git:

Change signature of AddToSearchPath, references #5150

comment:3 by Regina Obe <lr@…>, 3 years ago

In b175c26/git:

Numerous fixes to helper functions.
References #5150
References #5125
References #5155 for PostGIS 3.1.6

comment:4 by Regina Obe <lr@…>, 2 years ago

In 7e6980e4/git:

References #5150 - Change signature of AddToSearchPath
References #5155, More schema qual fixes
for PostGIS 2.5.7

comment:5 by Regina Obe <lr@…>, 2 years ago

Resolution: fixed
Status: assignedclosed

In d5d3dfe/git:

Search path and schema qual changes. Closes #5150 Closes #5155 for PostGIS 3.0.6

Note: See TracTickets for help on using tickets.