I didn't realize this was a public mailing list, I posted this report at
http://www.postgresql.org/support/submitbug and thought that it would
only be reported internally.
I agree with your analysis, although Carol may or may not be aware that
she is executing any functions at all. But in any
Dave Page wrote:
> On Mon, Mar 31, 2008 at 10:46 PM, Tom Lane <[EMAIL PROTECTED]> wrote:
> > If this were a security issue, you already spilled the beans by
> > reporting it to a public mailing list; so I'm unsure what you are
> > concerned about.
>
> I'd wager that Lars didn't realise the bug
On Mon, Mar 31, 2008 at 10:46 PM, Tom Lane <[EMAIL PROTECTED]> wrote:
> If this were a security issue, you already spilled the beans by
> reporting it to a public mailing list; so I'm unsure what you are
> concerned about.
I'd wager that Lars didn't realise the bug form goes straight to the
lis
"Lars Olson" <[EMAIL PROTECTED]> writes:
> Creating a view that depends on the value of SESSION_USER enables a
> minimally-privileged user to write a user-defined function that contains a
> trojan-horse to get arbitrary data from the base table.
This example proves nothing except that you shouldn'
Lars Olson wrote:
Creating a view that depends on the value of SESSION_USER enables a
minimally-privileged user to write a user-defined function that contains a
trojan-horse to get arbitrary data from the base table. Using CURRENT_USER
instead still enables a similar vulnerability.
To reproduce
The following bug has been logged online:
Bug reference: 4074
Logged by: Lars Olson
Email address: [EMAIL PROTECTED]
PostgreSQL version: 8.3.1
Operating system: Windows XP
Description:Using SESSION_USER or CURRENT_USER in a view definition
is unsafe
Details:
Creatin
