[postgis-tickets] [PostGIS] #5165: CREATE EXTENSION scripts should use CREATE instead of CREATE OR REPLACE
PostGIS
trac at osgeo.org
Wed Jun 8 11:38:20 PDT 2022
#5165: CREATE EXTENSION scripts should use CREATE instead of CREATE OR REPLACE
------------------------------------+---------------------------
Reporter: robe | Owner: strk
Type: defect | Status: new
Priority: medium | Milestone: PostGIS 3.3.0
Component: build/upgrade/install | Version: master
Resolution: | Keywords:
------------------------------------+---------------------------
Comment (by strk):
> our function would now make a function they own be part of postgis
Woudn't it be much simpler to just FORCE ownership of functions, in the
upgrade script ?
We would check the ownership of a function which is known to have been in
postgis forever (postgis_version?) and set ownership of all functions,
after the CREATE OR REPLACE, to that user.
Would this block the kind of attack you describe ?
The enforcement of all function of the extension could be also done in a
single final statement, as we can easily get the list of all functions in
our extension, and could set ownership of those function match ownership
of the extension itself
--
Ticket URL: <https://trac.osgeo.org/postgis/ticket/5165#comment:3>
PostGIS <http://trac.osgeo.org/postgis/>
The PostGIS Trac is used for bug, enhancement & task tracking, a user and developer wiki, and a view into the subversion code repository of PostGIS project.
More information about the postgis-tickets
mailing list