Received: from localhost (unknown [200.46.204.183]) by developer.postgresql.org (Postfix) with ESMTP id 2853F2E002D for ; Mon, 31 Mar 2008 19:23:25 -0300 (ADT) Received: from developer.postgresql.org ([200.46.204.71]) by localhost (mx1.hub.org [200.46.204.183]) (amavisd-maia, port 10024) with ESMTP id 80145-01 for ; Mon, 31 Mar 2008 19:23:23 -0300 (ADT) X-Greylist: from auto-whitelisted by SQLgrey-1.7.5 Received: from lists.commandprompt.com (host-159.commandprompt.net [207.173.203.159]) by developer.postgresql.org (Postfix) with ESMTP id A2FBF2E002C for ; Mon, 31 Mar 2008 19:23:23 -0300 (ADT) Received: from perhan.alvh.no-ip.org (200-126-66-43.bk5-dsl.surnet.cl [200.126.66.43]) (authenticated bits=0) by lists.commandprompt.com (8.13.8/8.13.8) with ESMTP id m2VMN7VC016057 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 31 Mar 2008 15:23:54 -0700 Received: by perhan.alvh.no-ip.org (Postfix, from userid 1000) id 710A247C56; Mon, 31 Mar 2008 18:22:47 -0400 (CLT) Date: Mon, 31 Mar 2008 18:22:47 -0400 From: Alvaro Herrera To: Dave Page Cc: Tom Lane , Lars Olson , pgsql-bugs@postgresql.org Subject: Re: BUG #4074: Using SESSION_USER or CURRENT_USER in a view definition is unsafe Message-ID: <20080331222247.GI24048@alvh.no-ip.org> References: <200803312055.m2VKtmdb090699@wwwmaster.postgresql.org> <24862.1207000008@sss.pgh.pa.us> <937d27e10803311504ib836b4bp814f592325304fd6@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <937d27e10803311504ib836b4bp814f592325304fd6@mail.gmail.com> User-Agent: Mutt/1.5.17+20080114 (2008-01-14) X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.0 (lists.commandprompt.com [207.173.203.159]); Mon, 31 Mar 2008 15:23:55 -0700 (PDT) X-Archive-Number: 200803/363 X-Sequence-Number: 20211 Dave Page wrote: > On Mon, Mar 31, 2008 at 10:46 PM, Tom Lane wrote: > > If this were a security issue, you already spilled the beans by > > reporting it to a public mailing list; so I'm unsure what you are > > concerned about. > > I'd wager that Lars didn't realise the bug form goes straight to the > list. We should probably make that more clear. > > On the other hand it does say to report security issues to security@... Let's have a checkbox "I am reporting a security issue" and send the mail to security@ if checked. -- Alvaro Herrera http://www.CommandPrompt.com/ The PostgreSQL Company - Command Prompt, Inc.