[postgis-tickets] [PostGIS] #5150: postgis_extension_AddToSearchPath should take input as text instead of varchar
PostGIS
trac at osgeo.org
Sat May 14 23:12:22 PDT 2022
#5150: postgis_extension_AddToSearchPath should take input as text instead of
varchar
-----------------------------------+---------------------------
Reporter: robe | Owner: robe
Type: defect | Status: assigned
Priority: medium | Milestone: PostGIS 2.5.7
Component: build/upgrade/install | Version: master
Keywords: |
-----------------------------------+---------------------------
This is a security change.
It is possible for a user to create a function
postgis_extension_AddToSearchPath(text) in the same schema as the
postgis_extension_AddToSearchPath(varchar) we defined.
This could allow a rogue user to have their version of function run during
extension create/updates instead of the one we ship.
--
Ticket URL: <https://trac.osgeo.org/postgis/ticket/5150>
PostGIS <http://trac.osgeo.org/postgis/>
The PostGIS Trac is used for bug, enhancement & task tracking, a user and developer wiki, and a view into the subversion code repository of PostGIS project.
More information about the postgis-tickets
mailing list