From bebe9040388bb2292585eab712fe4d29a71843fb Mon Sep 17 00:00:00 2001 From: Tom Lane Date: Thu, 9 Jan 2025 15:16:56 -0500 Subject: Use @extschema:name@ notation in contrib transform modules. Harden hstore_plperl, hstore_plpython, and ltree_plpython against search-path-based attacks by using @extschema:name@ notation to refer to the underlying hstore or ltree data type. This allows removal of the previous documentation warning suggesting that they must be installed in the same schema as the underlying data type. In passing, also improve a para in extend.sgml to suggest using @extschema:name@ for such purposes. Discussion: https://postgr.es/m/692480.1736021695@sss.pgh.pa.us --- doc/src/sgml/extend.sgml | 14 +++++--------- doc/src/sgml/hstore.sgml | 9 --------- doc/src/sgml/ltree.sgml | 9 --------- 3 files changed, 5 insertions(+), 27 deletions(-) (limited to 'doc/src') diff --git a/doc/src/sgml/extend.sgml b/doc/src/sgml/extend.sgml index 218940ee5ce..ba492ca27c0 100644 --- a/doc/src/sgml/extend.sgml +++ b/doc/src/sgml/extend.sgml @@ -1348,15 +1348,11 @@ SELECT * FROM pg_extension_update_paths('extension_name - Cross-extension references are extremely difficult to make fully - secure, partially because of uncertainty about which schema the other - extension is in. The hazards are reduced if both extensions are - installed in the same schema, because then a hostile object cannot be - placed ahead of the referenced extension in the installation-time - search_path. However, no mechanism currently exists - to require that. For now, best practice is to not mark an extension - trusted if it depends on another one, unless that other one is always - installed in pg_catalog. + Secure cross-extension references typically require schema-qualification + of the names of the other extension's objects, using the + @extschema:name@ + syntax, in addition to careful matching of argument types for functions + and operators. diff --git a/doc/src/sgml/hstore.sgml b/doc/src/sgml/hstore.sgml index 7d93e49e913..44325e0bba0 100644 --- a/doc/src/sgml/hstore.sgml +++ b/doc/src/sgml/hstore.sgml @@ -946,15 +946,6 @@ ALTER TABLE tablename ALTER hstorecol TYPE hstore USING hstorecol || ''; extension for PL/Python is called hstore_plpython3u. If you use it, hstore values are mapped to Python dictionaries. - - - - It is strongly recommended that the transform extensions be installed in - the same schema as hstore. Otherwise there are - installation-time security hazards if a transform extension's schema - contains objects defined by a hostile user. - - diff --git a/doc/src/sgml/ltree.sgml b/doc/src/sgml/ltree.sgml index 9584105b03b..1c3543303f0 100644 --- a/doc/src/sgml/ltree.sgml +++ b/doc/src/sgml/ltree.sgml @@ -841,15 +841,6 @@ ltreetest=> SELECT ins_label(path,2,'Space') FROM test WHERE path <@ 'Top. creating a function, ltree values are mapped to Python lists. (The reverse is currently not supported, however.) - - - - It is strongly recommended that the transform extension be installed in - the same schema as ltree. Otherwise there are - installation-time security hazards if a transform extension's schema - contains objects defined by a hostile user. - - -- cgit v1.2.3