[postgis-tickets] [PostGIS] #5069: Schema qualify pg_catalog functions and tables
PostGIS
trac at osgeo.org
Thu Jan 27 11:44:50 PST 2022
#5069: Schema qualify pg_catalog functions and tables
-----------------------------------+----------------------------
Reporter: robe | Owner: robe
Type: defect | Status: assigned
Priority: medium | Milestone: PostGIS 2.4.10
Component: build/upgrade/install | Version: 2.4.x
Keywords: |
-----------------------------------+----------------------------
To better protect against
https://wiki.postgresql.org/wiki/A_Guide_to_CVE-2018-1058:_Protect_Your_Search_Path
during PostGIS install and upgrade.
The focus is on CREATE EXTENSION / select postgis_extensions_upgrade() /
ALTER EXTENSION
I think the tables to change are not necessary, although in theory we
should be since someone could define such tables in the schema they
install postgis (like a view that calls a function). I will be replacing
these as well to prevent a rogue actor forcing some change by replacing
key tables/views in pg_catalog.
Sadly I think this changes quite a few files.
--
Ticket URL: <https://trac.osgeo.org/postgis/ticket/5069>
PostGIS <http://trac.osgeo.org/postgis/>
The PostGIS Trac is used for bug, enhancement & task tracking, a user and developer wiki, and a view into the subversion code repository of PostGIS project.
More information about the postgis-tickets
mailing list