On 2025-02-24 Mo 11:04 AM, Peter Eisentraut wrote:
On 21.02.25 17:38, Andrew Dunstan wrote:
I don't think this is such a terrible kluge. I think it's different
from the server log case, which after all requires access to the
server file system to exploit.
To me, the mechanism by which this patch works is completely
nonobvious and coincidental, and it might get broken by unrelated
changes.
I think a possible, more robust approach would be to put a field, say,
security_sensitive into DefElem (or maybe a higher node, maybe even
Query), and drive decisions from that.
That's a fair comment, but I don't see any point in Matheus or anyone
else working on it if we're going to reject it anyway. Probably nothing
we could do is going to be completely leakproof (see Sami's case
upthread abut DO blocks). If that means we avoid all attempts do lessen
the danger here then I guess we are done.
cheers
andrew
--
Andrew Dunstan
EDB: https://www.enterprisedb.com
