On 3/9/18 2:55 AM, Michael Paquier wrote: > > In light of CVE-2018-1058, user's applications need to be careful about > the use of schema-unqualified queries. A lookup at the upstream code is > showing four areas which are missing such handling: > - psql has one problem in get_create_object_cmd which misses twice to > qualify array_remove(). > - isolationtester is missing one for a call to pg_backend_pid() > - information_schema.sql has one problem as well: the function > _pg_interval_type does not qualify upper(). Please note that there is > no need to care about view's bodies because those use OID references, so > only the function body need to be taken care of. > - worker_spi scans pg_namespace and uses count() without schema > qualification. > > Attached is a patch which fixes all four of them, and which should be > back-patched. For information_schema.sql, users can always replace the > body of the function by redefining them (using SET search_path in CREATE > FUNCTION would work as well however this is more costly than a simple > qualification).
These look sane to me. Did you check the back branches for anything that might not exist in HEAD? Regards, -- -David da...@pgmasters.net
