[postgis-tickets] [PostGIS] #5150: postgis_extension_AddToSearchPath should take input as text instead of varchar, helpers should use CREATE FUNCTION (was: postgis_extension_AddToSearchPath should take input as text instead of varchar)

PostGIS trac at osgeo.org
Sat May 14 23:16:03 PDT 2022 

#5150: postgis_extension_AddToSearchPath should take input as text instead of
varchar, helpers should use CREATE FUNCTION
------------------------------------+---------------------------
  Reporter:  robe                   |      Owner:  robe
      Type:  defect                 |     Status:  assigned
  Priority:  medium                 |  Milestone:  PostGIS 2.5.7
 Component:  build/upgrade/install  |    Version:  master
Resolution:                         |   Keywords:
------------------------------------+---------------------------
Changes (by robe):

 * summary:
     postgis_extension_AddToSearchPath should take input as text instead of
     varchar
     =>
     postgis_extension_AddToSearchPath should take input as text instead of
     varchar, helpers should use CREATE FUNCTION


Old description:

> This is a security change.
>
> It is possible for a user to create a function
> postgis_extension_AddToSearchPath(text) in the same schema as the
>
> postgis_extension_AddToSearchPath(varchar) we defined.
>
> This could allow a rogue user to have their version of function run
> during extension create/updates instead of the one we ship.

New description:

 This is a security change.

 It is possible for a user to create a function
 postgis_extension_AddToSearchPath(text) in the same schema as the

 postgis_extension_AddToSearchPath(varchar) we defined.

 This could allow a rogue user to have their version of function run during
 extension create/updates instead of the one we ship.

 Also as general best practice we should use CREATE FUNCTION instead of
 CREATE OR REPLACE FUNCTION.  We can easily change for the helper functions
 since they are created as part of install and then dropped after.

--
-- 
Ticket URL: <https://trac.osgeo.org/postgis/ticket/5150#comment:1>
PostGIS <http://trac.osgeo.org/postgis/>
The PostGIS Trac is used for bug, enhancement & task tracking, a user and developer wiki, and a view into the subversion code repository of PostGIS project.

More information about the postgis-tickets mailing list