Re: BUG #4074: Using SESSION_USER or CURRENT_USER in a view definition is unsafe
I didn't realize this was a public mailing list, I posted this report at
http://www.postgresql.org/support/submitbug and thought that it would
only be reported internally.
I agree with your analysis, although Carol may or may not be aware that
she is executing any functions at all. But in any case, Heikki
Linnakangas' observation that you shouldn't even access untrusted views
clearly applies here. Thank you both for your prompt replies.
Tom Lane wrote:
Show quoted text
"Lars Olson" <leolson1@uiuc.edu> writes:
Creating a view that depends on the value of SESSION_USER enables a
minimally-privileged user to write a user-defined function that contains a
trojan-horse to get arbitrary data from the base table.This example proves nothing except that you shouldn't execute untrusted
code --- Carol gave up her data by willingly executing Bob's function.
I don't think that the use of SESSION_USER is particularly to blame.
There are certainly any number of other ways Bob could have abused
her trust here.This is highly related to a paper I am preparing for a security conference
that I am submitting in two weeks. Sorry about the short notice, I only
just thought of this problem yesterday. I would like to use this as an
example in my paper, but I will not do so without PostgreSQL's permission.
Please advise.If this were a security issue, you already spilled the beans by
reporting it to a public mailing list; so I'm unsure what you are
concerned about.regards, tom lane