Hi John, On Tue, Jun 18, 2024 at 2:35 AM John H <johnh...@gmail.com> wrote: > > Hi Ashutosh, > > Thinking about this more, could you clarify the problem/issue at hand? > I think it's still not clear to me. > Yes, CREATE EXTENSION can create functions that lead to unexpected > privilege escalation, regardless > if they are SECURITY DEFINER or SECURITY INVOKER (if the function is > inadvertently executed by superuser). > But that's also true for a general CREATE FUNCTION call outside of extensions. >
This specifically applies to extension functions, not standalone functions created independently. The difference is that installing extensions typically requires superuser privileges, which is not the case with standalone functions. -- With Regards, Ashutosh Sharma.
