On 07/13/2018 05:23 PM, Tom Lane wrote:
"David G. Johnston" <david.g.johns...@gmail.com> writes:
I think serious consideration needs to be given to ways to allow the user
of pg_dump/pg_restore to choose the prior, less secure, mode of operation​.
IMO the risk surface presented to support back-patching the behavioral
changes was not severe enough to do so in the first place. I'm presuming
undoing the back-patch will be shot down without mercy but at least
consider an escape hatch for unafflicted secure systems that just happen to
depend on search_path more than a super-hardened system would.
FWIW, in the security team's discussions of CVE-2018-1058, I argued
strenuously in favor of providing a way to run pg_dump/pg_restore with
the system's default search_path as before. I lost the argument;
but maybe the need for features like this shows that we are not really
ready to insist on unconditional security there.
I don't remember that, TBH.
Certainly this problem seems nasty enough that we should possibly
revisit the issue.
cheers
andrew
--
Andrew Dunstan https://www.2ndQuadrant.com
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services