On Thu, Nov 29, 2018 at 04:20:24PM +0900, Michael Paquier wrote: > From what I can see in my backlog, this never actually got into the > tree, and it seems to me that fixing those issues is always better than > nothing: > https://www.postgresql.org/message-id/20180309075538.gd9...@paquier.xyz > > Any thoughts? This does not reinvent the wheel..
On Fri, Mar 09, 2018 at 04:55:38PM +0900, Michael Paquier wrote: > Subject: [PATCH] Fix missing schema qualifications in code > > Per CVE-2018-1058, not using proper schema qualifications can allow an > attacker who has an account on the server to execute arbitrary code as a > superuser even if he has no such rights. After monitoring the whole > code of Postgres, I have bumped into four places that need to be > addressed: This patch provides no meaningful increment in security or reliability, but it does improve stylistic consistency. Fine to proceed on those grounds, but this description doesn't fit. > --- a/src/test/modules/worker_spi/worker_spi.c > +++ b/src/test/modules/worker_spi/worker_spi.c > @@ -115,7 +115,9 @@ initialize_worker_spi(worktable *table) > > /* XXX could we use CREATE SCHEMA IF NOT EXISTS? */ > initStringInfo(&buf); > - appendStringInfo(&buf, "select count(*) from pg_namespace where nspname > = '%s'", > + appendStringInfo(&buf, > + "select pg_catalog.count(*) " > + "from pg_catalog.pg_namespace where > nspname = '%s'", > table->schema); Remove this change. The rest of the file doesn't schema-qualify, which is appropriate for code implementing a test case.