Received: from localhost (unknown [200.46.204.183]) by developer.postgresql.org (Postfix) with ESMTP id A2A6D2E2DB6 for ; Mon, 31 Mar 2008 19:04:29 -0300 (ADT) Received: from developer.postgresql.org ([200.46.204.71]) by localhost (mx1.hub.org [200.46.204.183]) (amavisd-maia, port 10024) with ESMTP id 75086-03 for ; Mon, 31 Mar 2008 19:04:29 -0300 (ADT) X-Greylist: from auto-whitelisted by SQLgrey-1.7.5 Received: from rn-out-0910.google.com (rn-out-0910.google.com [64.233.170.185]) by developer.postgresql.org (Postfix) with ESMTP id BDD7B2E2DB3 for ; Mon, 31 Mar 2008 19:04:26 -0300 (ADT) Received: by rn-out-0910.google.com with SMTP id s46so893824rnb.3 for ; Mon, 31 Mar 2008 15:04:25 -0700 (PDT) Received: by 10.151.150.13 with SMTP id c13mr259576ybo.168.1207001065431; Mon, 31 Mar 2008 15:04:25 -0700 (PDT) Received: by 10.150.96.5 with HTTP; Mon, 31 Mar 2008 15:04:25 -0700 (PDT) Message-ID: <937d27e10803311504ib836b4bp814f592325304fd6@mail.gmail.com> Date: Mon, 31 Mar 2008 23:04:25 +0100 From: "Dave Page" To: "Tom Lane" Subject: Re: BUG #4074: Using SESSION_USER or CURRENT_USER in a view definition is unsafe Cc: "Lars Olson" , pgsql-bugs@postgresql.org In-Reply-To: <24862.1207000008@sss.pgh.pa.us> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <200803312055.m2VKtmdb090699@wwwmaster.postgresql.org> <24862.1207000008@sss.pgh.pa.us> X-Archive-Number: 200803/362 X-Sequence-Number: 20210 On Mon, Mar 31, 2008 at 10:46 PM, Tom Lane wrote: > If this were a security issue, you already spilled the beans by > reporting it to a public mailing list; so I'm unsure what you are > concerned about. I'd wager that Lars didn't realise the bug form goes straight to the list. We should probably make that more clear. On the other hand it does say to report security issues to security@... -- Dave Page EnterpriseDB UK Ltd: http://www.enterprisedb.com PostgreSQL UK 2008 Conference: http://www.postgresql.org.uk