Opened 3 years ago
Closed 2 years ago
#5150 closed defect (fixed)
postgis_extension_AddToSearchPath should take input as text instead of varchar, helpers should use CREATE FUNCTION
Reported by: | robe | Owned by: | robe |
---|---|---|---|
Priority: | medium | Milestone: | PostGIS 2.5.7 |
Component: | build | Version: | master |
Keywords: | Cc: |
Description (last modified by )
This is a security change.
It is possible for a user to create a function postgis_extension_AddToSearchPath(text) in the same schema as the
postgis_extension_AddToSearchPath(varchar) we defined.
This could allow a rogue user to have their version of function run during extension create/updates instead of the one we ship.
Also as general best practice we should use CREATE FUNCTION instead of CREATE OR REPLACE FUNCTION. We can easily change for the helper functions since they are created as part of install and then dropped after.
Change History (5)
comment:1 by , 3 years ago
Description: | modified (diff) |
---|---|
Summary: | postgis_extension_AddToSearchPath should take input as text instead of varchar → postgis_extension_AddToSearchPath should take input as text instead of varchar, helpers should use CREATE FUNCTION |
comment:2 by , 3 years ago
Note:
See TracTickets
for help on using tickets.
In c356da3/git: