Opened 3 months ago

Closed 4 weeks ago

#5150 closed defect (fixed)

postgis_extension_AddToSearchPath should take input as text instead of varchar, helpers should use CREATE FUNCTION

Reported by: robe Owned by: robe
Priority: medium Milestone: PostGIS 2.5.7
Component: build/upgrade/install Version: master
Keywords: Cc:

Description (last modified by robe)

This is a security change.

It is possible for a user to create a function postgis_extension_AddToSearchPath(text) in the same schema as the

postgis_extension_AddToSearchPath(varchar) we defined.

This could allow a rogue user to have their version of function run during extension create/updates instead of the one we ship.

Also as general best practice we should use CREATE FUNCTION instead of CREATE OR REPLACE FUNCTION. We can easily change for the helper functions since they are created as part of install and then dropped after.

Change History (5)

comment:1 by robe, 3 months ago

Description: modified (diff)
Summary: postgis_extension_AddToSearchPath should take input as text instead of varcharpostgis_extension_AddToSearchPath should take input as text instead of varchar, helpers should use CREATE FUNCTION

comment:2 by Regina Obe <lr@…>, 3 months ago

In c356da3/git:

Change signature of AddToSearchPath, references #5150

comment:3 by Regina Obe <lr@…>, 3 months ago

In b175c26/git:

Numerous fixes to helper functions.
References #5150
References #5125
References #5155 for PostGIS 3.1.6

comment:4 by Regina Obe <lr@…>, 4 weeks ago

In 7e6980e4/git:

References #5150 - Change signature of AddToSearchPath
References #5155, More schema qual fixes
for PostGIS 2.5.7

comment:5 by Regina Obe <lr@…>, 4 weeks ago

Resolution: fixed
Status: assignedclosed

In d5d3dfe/git:

Search path and schema qual changes. Closes #5150 Closes #5155 for PostGIS 3.0.6

Note: See TracTickets for help on using tickets.