projects / users / c2main / postgres.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: ebd8fc7)
Use @extschema:name@ notation in contrib transform modules.
authorTom Lane <[email protected]>
Thu, 9 Jan 2025 20:16:56 +0000 (15:16 -0500)
committerTom Lane <[email protected]>
Thu, 9 Jan 2025 20:16:56 +0000 (15:16 -0500)
Harden hstore_plperl, hstore_plpython, and ltree_plpython
against search-path-based attacks by using @extschema:name@
notation to refer to the underlying hstore or ltree data type.

This allows removal of the previous documentation warning
suggesting that they must be installed in the same schema as
the underlying data type.  In passing, also improve a para in
extend.sgml to suggest using @extschema:name@ for such purposes.

Discussion: https://postgr.es/m/692480.1736021695@sss.pgh.pa.us

contrib/hstore_plperl/hstore_plperl--1.0.sql patch | blob | blame | history
contrib/hstore_plperl/hstore_plperlu--1.0.sql patch | blob | blame | history
contrib/hstore_plpython/hstore_plpython3u--1.0.sql patch | blob | blame | history
contrib/ltree_plpython/ltree_plpython3u--1.0.sql patch | blob | blame | history
doc/src/sgml/extend.sgml patch | blob | blame | history
doc/src/sgml/hstore.sgml patch | blob | blame | history
doc/src/sgml/ltree.sgml patch | blob | blame | history

diff --git a/contrib/hstore_plperl/hstore_plperl--1.0.sql b/contrib/hstore_plperl/hstore_plperl--1.0.sql
index af743c873350856f60d33e9e663f16b6581f9e13..2837f3719f088f78234e3ef8c6d7883adee6d229 100644 (file)
--- a/contrib/hstore_plperl/hstore_plperl--1.0.sql
+++ b/contrib/hstore_plperl/hstore_plperl--1.0.sql
@@ -7,11 +7,11 @@ CREATE FUNCTION hstore_to_plperl(val internal) RETURNS internal
 LANGUAGE C STRICT IMMUTABLE
 AS 'MODULE_PATHNAME';
 
-CREATE FUNCTION plperl_to_hstore(val internal) RETURNS hstore
+CREATE FUNCTION plperl_to_hstore(val internal) RETURNS @extschema:hstore@.hstore
 LANGUAGE C STRICT IMMUTABLE
 AS 'MODULE_PATHNAME';
 
-CREATE TRANSFORM FOR hstore LANGUAGE plperl (
+CREATE TRANSFORM FOR @extschema:hstore@.hstore LANGUAGE plperl (
     FROM SQL WITH FUNCTION hstore_to_plperl(internal),
     TO SQL WITH FUNCTION plperl_to_hstore(internal)
 );
diff --git a/contrib/hstore_plperl/hstore_plperlu--1.0.sql b/contrib/hstore_plperl/hstore_plperlu--1.0.sql
index 7c3bc86eba965175776ef654f7555e68e89209ff..7f3119a7b2e912a2c4d096ec340318c80cd6e709 100644 (file)
--- a/contrib/hstore_plperl/hstore_plperlu--1.0.sql
+++ b/contrib/hstore_plperl/hstore_plperlu--1.0.sql
@@ -7,11 +7,11 @@ CREATE FUNCTION hstore_to_plperlu(val internal) RETURNS internal
 LANGUAGE C STRICT IMMUTABLE
 AS 'MODULE_PATHNAME', 'hstore_to_plperl';
 
-CREATE FUNCTION plperlu_to_hstore(val internal) RETURNS hstore
+CREATE FUNCTION plperlu_to_hstore(val internal) RETURNS @extschema:hstore@.hstore
 LANGUAGE C STRICT IMMUTABLE
 AS 'MODULE_PATHNAME', 'plperl_to_hstore';
 
-CREATE TRANSFORM FOR hstore LANGUAGE plperlu (
+CREATE TRANSFORM FOR @extschema:hstore@.hstore LANGUAGE plperlu (
     FROM SQL WITH FUNCTION hstore_to_plperlu(internal),
     TO SQL WITH FUNCTION plperlu_to_hstore(internal)
 );
diff --git a/contrib/hstore_plpython/hstore_plpython3u--1.0.sql b/contrib/hstore_plpython/hstore_plpython3u--1.0.sql
index 0b410ab18354c6cdeac299a2b989fb46dddfd8b7..35082322416849623208472814600fe94b1f9066 100644 (file)
--- a/contrib/hstore_plpython/hstore_plpython3u--1.0.sql
+++ b/contrib/hstore_plpython/hstore_plpython3u--1.0.sql
@@ -7,13 +7,13 @@ CREATE FUNCTION hstore_to_plpython3(val internal) RETURNS internal
 LANGUAGE C STRICT IMMUTABLE
 AS 'MODULE_PATHNAME', 'hstore_to_plpython';
 
-CREATE FUNCTION plpython3_to_hstore(val internal) RETURNS hstore
+CREATE FUNCTION plpython3_to_hstore(val internal) RETURNS @extschema:hstore@.hstore
 LANGUAGE C STRICT IMMUTABLE
 AS 'MODULE_PATHNAME', 'plpython_to_hstore';
 
-CREATE TRANSFORM FOR hstore LANGUAGE plpython3u (
+CREATE TRANSFORM FOR @extschema:hstore@.hstore LANGUAGE plpython3u (
     FROM SQL WITH FUNCTION hstore_to_plpython3(internal),
     TO SQL WITH FUNCTION plpython3_to_hstore(internal)
 );
 
-COMMENT ON TRANSFORM FOR hstore LANGUAGE plpython3u IS 'transform between hstore and Python dict';
+COMMENT ON TRANSFORM FOR @extschema:hstore@.hstore LANGUAGE plpython3u IS 'transform between hstore and Python dict';
diff --git a/contrib/ltree_plpython/ltree_plpython3u--1.0.sql b/contrib/ltree_plpython/ltree_plpython3u--1.0.sql
index 09ada3c7e8b701393aca79123edec4f3362bdce4..14f73518d6ae4a1e259f3f8ccf0f9c4322a28890 100644 (file)
--- a/contrib/ltree_plpython/ltree_plpython3u--1.0.sql
+++ b/contrib/ltree_plpython/ltree_plpython3u--1.0.sql
@@ -7,6 +7,6 @@ CREATE FUNCTION ltree_to_plpython3(val internal) RETURNS internal
 LANGUAGE C STRICT IMMUTABLE
 AS 'MODULE_PATHNAME', 'ltree_to_plpython';
 
-CREATE TRANSFORM FOR ltree LANGUAGE plpython3u (
+CREATE TRANSFORM FOR @extschema:ltree@.ltree LANGUAGE plpython3u (
     FROM SQL WITH FUNCTION ltree_to_plpython3(internal)
 );
diff --git a/doc/src/sgml/extend.sgml b/doc/src/sgml/extend.sgml
index 218940ee5ce19334efec8c1c6b7b15fc2183c2d9..ba492ca27c089fa780fd2a923b5781ec8412ddb7 100644 (file)
--- a/doc/src/sgml/extend.sgml
+++ b/doc/src/sgml/extend.sgml
@@ -1348,15 +1348,11 @@ SELECT * FROM pg_extension_update_paths('<replaceable>extension_name</replaceabl
      </para>
 
      <para>
-      Cross-extension references are extremely difficult to make fully
-      secure, partially because of uncertainty about which schema the other
-      extension is in.  The hazards are reduced if both extensions are
-      installed in the same schema, because then a hostile object cannot be
-      placed ahead of the referenced extension in the installation-time
-      <varname>search_path</varname>.  However, no mechanism currently exists
-      to require that.  For now, best practice is to not mark an extension
-      trusted if it depends on another one, unless that other one is always
-      installed in <literal>pg_catalog</literal>.
+      Secure cross-extension references typically require schema-qualification
+      of the names of the other extension's objects, using the
+      <literal>@extschema:<replaceable>name</replaceable>@</literal>
+      syntax, in addition to careful matching of argument types for functions
+      and operators.
      </para>
     </sect3>
    </sect2>
diff --git a/doc/src/sgml/hstore.sgml b/doc/src/sgml/hstore.sgml
index 7d93e49e91309729cc59b75cbb2bb5e88661da5b..44325e0bba0c43598e3235496a6c27f15d02a1d8 100644 (file)
--- a/doc/src/sgml/hstore.sgml
+++ b/doc/src/sgml/hstore.sgml
@@ -946,15 +946,6 @@ ALTER TABLE tablename ALTER hstorecol TYPE hstore USING hstorecol || '';
    extension for PL/Python is called <literal>hstore_plpython3u</literal>.
    If you use it, <type>hstore</type> values are mapped to Python dictionaries.
   </para>
-
-  <caution>
-   <para>
-    It is strongly recommended that the transform extensions be installed in
-    the same schema as <filename>hstore</filename>.  Otherwise there are
-    installation-time security hazards if a transform extension's schema
-    contains objects defined by a hostile user.
-   </para>
-  </caution>
  </sect2>
 
  <sect2 id="hstore-authors">
diff --git a/doc/src/sgml/ltree.sgml b/doc/src/sgml/ltree.sgml
index 9584105b03b39a89edaafaf26fdbc12a43142bd8..1c3543303f0ab96d2bdb1832f9ad6d43699cae75 100644 (file)
--- a/doc/src/sgml/ltree.sgml
+++ b/doc/src/sgml/ltree.sgml
@@ -841,15 +841,6 @@ ltreetest=&gt; SELECT ins_label(path,2,'Space') FROM test WHERE path &lt;@ 'Top.
    creating a function, <type>ltree</type> values are mapped to Python lists.
    (The reverse is currently not supported, however.)
   </para>
-
-  <caution>
-   <para>
-    It is strongly recommended that the transform extension be installed in
-    the same schema as <filename>ltree</filename>.  Otherwise there are
-    installation-time security hazards if a transform extension's schema
-    contains objects defined by a hostile user.
-   </para>
-  </caution>
  </sect2>
 
  <sect2 id="ltree-authors">
Cedric's Stuff