Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1wi49Q-000Yv8-1z for pgsql-bugs@arkaria.postgresql.org; Fri, 10 Jul 2026 05:51:53 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.96) (envelope-from ) id 1wi49N-00G8ju-2g for pgsql-bugs@arkaria.postgresql.org; Fri, 10 Jul 2026 05:51:50 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1wi49N-00G8jl-1s for pgsql-bugs@lists.postgresql.org; Fri, 10 Jul 2026 05:51:50 +0000 Received: from mail-ot1-x32a.google.com ([2607:f8b0:4864:20::32a]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.98.2) (envelope-from ) id 1wi49M-00000000Qfb-1GKj for pgsql-bugs@lists.postgresql.org; Fri, 10 Jul 2026 05:51:49 +0000 Received: by mail-ot1-x32a.google.com with SMTP id 46e09a7af769-7ea9c6ea7deso513917a34.3 for ; Thu, 09 Jul 2026 22:51:48 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1783662708; cv=none; d=google.com; s=arc-20260327; b=gFJRXyBGT+E8bzC4FwwyORHJ6RHqEoouelhWipCK+45hXY1C0VJJUqsS4xmUVRrkL1 8g7lMsbxvJ8zALzB2BXxMELc1BEOQbKest+kvmpT09DQm2Z0HoquqInozH8fB/lNcX1R e5an1CFL/wFXGu7jf+dwbqWfdn+h37Tsmd0iUs2MfKGqoHI3Y1ltS2Jdsp4BBBdjceiX Q4Ou8EpSXhTjTCMiDXkY4vx+q/rPmsr3JCFD5tm8X74Rz5x7JgihFMG6Fzr63YmkD5y3 o+iNCXKXH7XRVChEL8d4HYkxMo/dMUh7epXE8sgD/Xj4ifE7yJLOLF25mAAjIAC/Sooy qa8w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20260327; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=s1HqwFK8vbp2pnpq3H2wZRRTXWhRmp+GM6nuB4RKveE=; fh=UhbJQo+dIk7pZZCcvFcLRyjHzg9WobWFxRJcqNdBc14=; b=ZRAEsU2fzsY816DPFFUR1HFI0ZTLB9vv6BV0rhZdYmQW1YebmnOP0OakNfL3plRq5+ juqT1npEbpR6MPKO1ssIRqbPkFxPTME8F4TlFu75gIlzu9M1cxG98yRBWd0gccBhEniM XG0HrOr+FduI099ytcBDwrJ3Zdj1ItdqSM7pzcG/eJxMIgeMQVMji7drEakFKFrpUhPV +1wxnVpuCtP5aycuVDlAo7DZcF9xtWeDoaEK/noBnBKJ0vR+R4u1ByvvwWR85yplbas2 a8mb5Vv7z5rQgQydyQVBnnlWw+L0iLyfQRQhhu/f8J55mfpol463q7zYj47BJw/1P0wG y9Vg==; darn=lists.postgresql.org ARC-Authentication-Results: i=1; mx.google.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1783662708; x=1784267508; darn=lists.postgresql.org; h=content-transfer-encoding:content-type:cc:to:subject:message-id :date:from:in-reply-to:references:mime-version:from:to:cc:subject :date:message-id:reply-to:content-type; bh=s1HqwFK8vbp2pnpq3H2wZRRTXWhRmp+GM6nuB4RKveE=; b=QqJu07BS8npBpc7l9gP5Hp0A7wVIf1+FzExgbq60oOuIQAVLunNEkPj2VtFMwSnZmc mf3MIHeTPwmcbodAfVclmprWVYw4jLgDrgfM8jCOcSEOKMjb34UK8MqqemMuC4Ykhgid iKnAJpU2/9vdThwuXEorx9wXLRXd1h+A9PS4LvSpcoRAJEB+efJikj24dtXdjWn3wPmH jtgWDa+kRgmJeblvLYgeUsh7jJoDg9/emLW8y5CwLXCCrvhTQWrSuO4h7m1cznIztwcf 7jDwSBck6weE6Ssae0U4Tc24B0HrgH7hBJy8OoU+/vo/1r1jUZXynsPATVdAzU5X8ym8 L95A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1783662708; x=1784267508; h=content-transfer-encoding:content-type:cc:to:subject:message-id :date:from:in-reply-to:references:mime-version:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to :content-type; bh=s1HqwFK8vbp2pnpq3H2wZRRTXWhRmp+GM6nuB4RKveE=; b=b6iWJ+MjImJzrFI8WrGXVaNDt4fIqY1poprg4r7datYL1xuMqABgnvxerbuUtxkxVj +LA6zUSq/CL12/hPdnUWJzT1ifjU+gZS2VyB/4zE272VWgRxMrnxYZzalz4RHQMuZi3B bVXwbMJdZrqnq0q/iz0sfruaMWeqFT20B/LyvYZvEpleQkEfBJwm5+I6ubZMR0i6G9Jl XBUMLod6195QT60obn4kDArIXAtjlIb+oaoEH7U/1aymQOEga/fsvRIvMRzTVtI5SW1g gQ0C4ekHXm6ilOeBZjbAMVGe3NlQ8XLh34AgROKMZv8O2MogPDAr6wkL4z3eVtLdkgbg ykOA== X-Gm-Message-State: AOJu0YztlCIhbhDZRiJ/vHVSEH9dtbg+3U7lUbBdfM9Eomkk7RH4cPbv kwXNPGhu4dFtMFomjyA48vuezkkdVqtRefX4OUeli7DQxX47I1hLk2OmfQsG1oOU7Bs6drvP10a tv70ujl5BbQsFbD7uAU4Pm6ncVy7kuiPuHwCE634= X-Gm-Gg: AfdE7cm5R5TboUd406J3WR+x390acRkhoxjVKEABKsAiaShdMMmb4O8y6oDUXi8coEp 667lrWR1KDSTpPNFjIN9Ry8BkZzWg34RMJAtXV3nmKtA2lpJRcvz7RqaNMTzbzjKJxaLyXEILPH EhDrQlEoehTKKKzLX0NOXMjbI1izchV99G1RDOMulm1M1dlf6hZF1ETeUI+ryo7hTGxJo5wE4Wx ktl7xIkdUupnhA4AbEDgMjVYF2U7GwhyD2K46X+JyQvAEU5khHHXGzBmVPxwgBRCD9S/RWh X-Received: by 2002:a05:6830:440c:b0:7e6:d0ad:5254 with SMTP id 46e09a7af769-7ebcfe7b5eemr7468091a34.8.1783662707908; Thu, 09 Jul 2026 22:51:47 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Vismay Tiwari Date: Fri, 10 Jul 2026 11:21:36 +0530 X-Gm-Features: AVVi8CdTVIMPxO3nIpGgke8XiSitbVMnAoPlPfsjAb64K3dQSzYqb3dTSW8WP2M Message-ID: Subject: Re: BUG #19523: psql tab-completion shadows pg_db_role_setting To: Kirill Reshke Cc: PostgreSQL mailing lists Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk Hi Kirill, Thanks, and sorry for the two threads =E2=80=94 the second was an accidenta= l resend that didn't thread properly on my end , so let's keep it here. You're right that it's not a vulnerability, and the "attacker" framing was overblown =E2=80=94 the docs are clear that removing publicly-writable schemas from search_path is the real safeguard. The intent is just consistency and robustness: the same query already qualifies unnest()/split_part() with pg_catalog, and the analogous subscription-variable completion query qualifies its catalogs, so this only brings pg_db_role_setting/pg_database in line. As a side benefit it avoids a surprising tab-completion result for anyone who happens to have a same-named table earlier in search_path, misconfigured or not. Thanks for the +1. Regards, Vismay On Fri, Jul 10, 2026 at 10:19=E2=80=AFAM Kirill Reshke wrote: > > > Hi! You seem to create two threads on the issue, so I don't quite underst= and where to respond. anyway: > > On Thu, 9 Jul 2026, 15:14 Vismay Tiwari, wrote: >> >> Hi, >> >> Reproduced on current master. The tab-completion query for >> "ALTER DATABASE ... RESET" (Query_for_list_of_database_vars) references >> pg_db_role_setting and pg_database without a pg_catalog qualification, s= o a >> same-named table earlier in search_path shadows the catalog: >> >> CREATE SCHEMA attacker; >> CREATE TABLE attacker.pg_db_role_setting (setdatabase oid, setrole >> oid, setconfig text[]); >> INSERT INTO attacker.pg_db_role_setting >> SELECT oid, 0, ARRAY['evil_var=3Dx'] FROM pg_database WHERE >> datname =3D 'postgres'; >> SET search_path =3D attacker, pg_catalog; >> -- "ALTER DATABASE postgres RESET " then offers evil_var >> > > Preventing this makes sense in case somebody accidentally misconfigured t= heir server. Which is not very probable for a table with `pg_db_role_settin= g` name. > Also note that this is not a vulnerability: from https://www.postgresql.o= rg/docs/current/app-psql.html says: > > If untrusted users have access to a database that has not adopted a sec= ure > schema usage pattern, begin your session by removing publicly-writable > schemas from search_path. > > Anyway +1 on fixing > >