Received: from localhost (unknown [200.46.204.183])
	by developer.postgresql.org (Postfix) with ESMTP id 036D92E2D3B
	for <pgsql-bugs-postgresql.org@developer.postgresql.org>;
	Mon, 31 Mar 2008 18:46:55 -0300 (ADT)
Received: from developer.postgresql.org ([200.46.204.71])
	by localhost (mx1.hub.org [200.46.204.183]) (amavisd-maia, port 10024)
	with ESMTP id 61990-08
	for <pgsql-bugs-postgresql.org@developer.postgresql.org>;
	Mon, 31 Mar 2008 18:46:54 -0300 (ADT)
X-Greylist: from auto-whitelisted by SQLgrey-1.7.5
Received: from sss.pgh.pa.us (sss.pgh.pa.us [66.207.139.130])
	by developer.postgresql.org (Postfix) with ESMTP id BE9FF2E2D3A
	for <pgsql-bugs@postgresql.org>; Mon, 31 Mar 2008 18:46:49 -0300 (ADT)
Received: from sss2.sss.pgh.pa.us (tgl@localhost [127.0.0.1])
	by sss.pgh.pa.us (8.14.2/8.14.2) with ESMTP id m2VLkmOQ024863;
	Mon, 31 Mar 2008 17:46:48 -0400 (EDT)
To: "Lars Olson" <leolson1@uiuc.edu>
cc: pgsql-bugs@postgresql.org
Subject: Re: BUG #4074: Using SESSION_USER or CURRENT_USER in a view
	definition is unsafe
In-reply-to: <200803312055.m2VKtmdb090699@wwwmaster.postgresql.org> 
References: <200803312055.m2VKtmdb090699@wwwmaster.postgresql.org>
Comments: In-reply-to "Lars Olson" <leolson1@uiuc.edu>
	message dated "Mon, 31 Mar 2008 20:55:48 +0000"
Date: Mon, 31 Mar 2008 17:46:48 -0400
Message-ID: <24862.1207000008@sss.pgh.pa.us>
From: Tom Lane <tgl@sss.pgh.pa.us>
X-Archive-Number: 200803/361
X-Sequence-Number: 20209

"Lars Olson" <leolson1@uiuc.edu> writes:
> Creating a view that depends on the value of SESSION_USER enables a
> minimally-privileged user to write a user-defined function that contains a
> trojan-horse to get arbitrary data from the base table.

This example proves nothing except that you shouldn't execute untrusted
code --- Carol gave up her data by willingly executing Bob's function.
I don't think that the use of SESSION_USER is particularly to blame.
There are certainly any number of other ways Bob could have abused
her trust here.

> This is highly related to a paper I am preparing for a security conference
> that I am submitting in two weeks.  Sorry about the short notice, I only
> just thought of this problem yesterday.  I would like to use this as an
> example in my paper, but I will not do so without PostgreSQL's permission. 
> Please advise.

If this were a security issue, you already spilled the beans by
reporting it to a public mailing list; so I'm unsure what you are
concerned about.

			regards, tom lane