|
41 | 41 |
|
42 | 42 | <listitem> |
43 | 43 | <!-- |
| 44 | +Author: Noah Misch <noah@leadboat.com> |
| 45 | +Branch: master [ffa2d37e5] 2019-08-05 07:48:41 -0700 |
| 46 | +Branch: REL_12_STABLE [9993fa9dd] 2019-08-05 07:48:45 -0700 |
| 47 | +Branch: REL_11_STABLE [21f94c51f] 2019-08-05 07:48:45 -0700 |
| 48 | +Branch: REL_10_STABLE [2062007cb] 2019-08-05 07:48:45 -0700 |
| 49 | +Branch: REL9_6_STABLE [7da46192d] 2019-08-05 07:48:45 -0700 |
| 50 | +Branch: REL9_5_STABLE [752fa3dbf] 2019-08-05 07:48:45 -0700 |
| 51 | +Branch: REL9_4_STABLE [86737438b] 2019-08-05 07:48:46 -0700 |
| 52 | +--> |
| 53 | + <para> |
| 54 | + Require schema qualification to cast to a temporary type when using |
| 55 | + functional cast syntax (Noah Misch) |
| 56 | + </para> |
| 57 | + |
| 58 | + <para> |
| 59 | + We have long required invocations of temporary functions to |
| 60 | + explicitly specify the temporary schema, that |
| 61 | + is <literal>pg_temp.<replaceable>func_name</replaceable>(<replaceable>args</replaceable>)</literal>. |
| 62 | + Require this as well for casting to temporary types using functional |
| 63 | + notation, for |
| 64 | + example <literal>pg_temp.<replaceable>type_name</replaceable>(<replaceable>arg</replaceable>)</literal>. |
| 65 | + Otherwise it's possible to capture a function call using a temporary |
| 66 | + object, allowing privilege escalation in much the same ways that we |
| 67 | + blocked in CVE-2007-2138. |
| 68 | + (CVE-2019-10208) |
| 69 | + </para> |
| 70 | + </listitem> |
| 71 | + |
| 72 | + <listitem> |
| 73 | +<!-- |
44 | 74 | Author: Tom Lane <tgl@sss.pgh.pa.us> |
45 | 75 | Branch: master Release: REL_12_BR [f946a4091] 2019-06-24 16:43:21 -0400 |
46 | 76 | Branch: REL_11_STABLE [afaf48afb] 2019-06-24 16:43:05 -0400 |
|