public inbox for [email protected]  
help / color / mirror / Atom feed
From: Noah Misch <[email protected]>
To: David G. Johnston <[email protected]>
Cc: Gurjeet Singh <[email protected]>
Cc: Jeff Davis <[email protected]>
Cc: [email protected]
Cc: Nathan Bossart <[email protected]>
Cc: Robert Haas <[email protected]>
Cc: Greg Stark <[email protected]>
Cc: Tom Lane <[email protected]>
Subject: Re: Fix search_path for all maintenance commands
Date: Sat, 15 Jul 2023 14:13:33 -0700
Message-ID: <[email protected]> (raw)
In-Reply-To: <CAKFQuwZmswfTKtx6oUY0N7UB62cO_nABMgQgdcvrD8r4qjvUJg@mail.gmail.com>
References: <[email protected]>
	<[email protected]>
	<[email protected]>
	<CABwTF4XWKqx06UxApH8pnBdp_w2iL6VEbGKxDyjCW7-FNhLCBQ@mail.gmail.com>
	<CAKFQuwbcUv9QmrfQKRRi1aq4E68xHD9N05_VZ2TLbMpxMV9Opg@mail.gmail.com>
	<CABwTF4W5mZ+5fJEEh2vp7trGzwn-gnG6o13hAALmLjHdpeUn2g@mail.gmail.com>
	<CAKFQuwZmswfTKtx6oUY0N7UB62cO_nABMgQgdcvrD8r4qjvUJg@mail.gmail.com>

On Thu, Jul 13, 2023 at 02:07:27PM -0700, David G. Johnston wrote:
> On Thu, Jul 13, 2023 at 2:00 PM Gurjeet Singh <[email protected]> wrote:
> > On Thu, Jul 13, 2023 at 1:37 PM David G. Johnston <[email protected]> wrote:
> > >  I'm against simply breaking the past without any recourse as what we
> > did for pg_dump/pg_restore still bothers me.
> >
> > I'm sure this is tangential, but can you please provide some
> > context/links to the change you're referring to here.
>
> Here is the instigating issue and a discussion thread on the aftermath:
> https://wiki.postgresql.org/wiki/A_Guide_to_CVE-2018-1058%3A_Protect_Your_Search_Path
> https://www.postgresql.org/message-id/flat/13033.1531517020%40sss.pgh.pa.us#2aa2e25816d899d62f168926...

I don't blame you for feeling bothered about it.  A benefit of having done it
is that we gained insight into the level of pain it caused.  If it had been
sufficiently painful, someone would have quickly added an escape hatch.  Five
years later, nobody has added one.

The 2018 security fixes instigated many function repairs that $SUBJECT would
otherwise instigate.  That wasn't too painful.  The net new pain of $SUBJECT
will be less, since the 2018 security fixes prepared the path.  Hence, I
remain +1 for the latest Davis proposal.






view thread (11+ messages)  latest in thread

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: [email protected]
  Cc: [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected]
  Subject: Re: Fix search_path for all maintenance commands
  In-Reply-To: <[email protected]>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox