On Wed, 10 Jul 2019 at 16:22, Robert Haas <robertmh...@gmail.com> wrote:
> On Wed, Jul 10, 2019 at 9:59 AM Dave Cramer <p...@fastcrypt.com> wrote: > > I'm still a bit conflicted about what to do with search_path as I do > believe this is potentially a security issue. > > It may be that we always want to report that and possibly back patch it. > > I don't see that as a feasible option unless we make the logic that > does the reporting smarter. If it changes transiently inside of a > security-definer function, and then changes back, my recollection is > that right now we would report both changes. I think that could cause > a serious efficiency problem if you are calling such a function in a > loop. > Not being intimately familiar with the backend the implications of above just struck home. So if I understand this correctly if user bob has altered his search path and there is a security-definer function called owned by him then the search path will be changed for the duration of the function and reported for every iteration? The implications of this are "interesting" to say the least. Dave Cramer da...@postgresintl.com www.postgresintl.com > >
