On Wed, Apr 14, 2021 at 02:03:56PM -0400, Tom Lane wrote: > Robert Haas <robertmh...@gmail.com> writes: > > On Wed, Apr 14, 2021 at 1:41 PM Tom Lane <t...@sss.pgh.pa.us> wrote: > >> Could we hack things so that extension scripts are only allowed to > >> reference objects created (a) by the system, (b) earlier in the > >> same script, or (c) owned by one of the declared prerequisite > >> extensions? Seems like that might provide a pretty bulletproof > >> defense against trojan-horse objects, though I'm not sure how much > >> of a pain it'd be to implement.
Good idea. > > That doesn't seem like a crazy idea, but the previous idea of having > > some magic syntax that means "the schema where extension FOO is" seems > > like it might be easier to implement and more generally useful. > > I think that's definitely useful, but it's not a fix for the > reference-capture problem unless you care to assume that the other > extension's schema is free of trojan-horse objects. I could see using that, perhaps in a non-SQL-language function. I agree it solves different problems.
