Opened 2 years ago
Last modified 2 years ago
#5150 closed defect
postgis_extension_AddToSearchPath should take input as text instead of varchar — at Initial Version
| Reported by: | robe | Owned by: | robe |
|---|---|---|---|
| Priority: | medium | Milestone: | PostGIS 2.5.7 |
| Component: | build | Version: | master |
| Keywords: | Cc: |
Description
This is a security change.
It is possible for a user to create a function postgis_extension_AddToSearchPath(text) in the same schema as the
postgis_extension_AddToSearchPath(varchar) we defined.
This could allow a rogue user to have their version of function run during extension create/updates instead of the one we ship.
Note:
See TracTickets
for help on using tickets.
