|
35 | 35 |
|
36 | 36 | <listitem> |
37 | 37 | <!-- |
| 38 | +Author: Noah Misch <noah@leadboat.com> |
| 39 | +Branch: master [ffa2d37e5] 2019-08-05 07:48:41 -0700 |
| 40 | +Branch: REL_12_STABLE [9993fa9dd] 2019-08-05 07:48:45 -0700 |
| 41 | +Branch: REL_11_STABLE [21f94c51f] 2019-08-05 07:48:45 -0700 |
| 42 | +Branch: REL_10_STABLE [2062007cb] 2019-08-05 07:48:45 -0700 |
| 43 | +Branch: REL9_6_STABLE [7da46192d] 2019-08-05 07:48:45 -0700 |
| 44 | +Branch: REL9_5_STABLE [752fa3dbf] 2019-08-05 07:48:45 -0700 |
| 45 | +Branch: REL9_4_STABLE [86737438b] 2019-08-05 07:48:46 -0700 |
| 46 | +--> |
| 47 | + <para> |
| 48 | + Require schema qualification to cast to a temporary type when using |
| 49 | + functional cast syntax (Noah Misch) |
| 50 | + </para> |
| 51 | + |
| 52 | + <para> |
| 53 | + We have long required invocations of temporary functions to |
| 54 | + explicitly specify the temporary schema, that |
| 55 | + is <literal>pg_temp.<replaceable>func_name</replaceable>(<replaceable>args</replaceable>)</literal>. |
| 56 | + Require this as well for casting to temporary types using functional |
| 57 | + notation, for |
| 58 | + example <literal>pg_temp.<replaceable>type_name</replaceable>(<replaceable>arg</replaceable>)</literal>. |
| 59 | + Otherwise it's possible to capture a function call using a temporary |
| 60 | + object, allowing privilege escalation in much the same ways that we |
| 61 | + blocked in CVE-2007-2138. |
| 62 | + (CVE-2019-10208) |
| 63 | + </para> |
| 64 | + </listitem> |
| 65 | + |
| 66 | + <listitem> |
| 67 | +<!-- |
38 | 68 | Author: Tom Lane <tgl@sss.pgh.pa.us> |
39 | 69 | Branch: master Release: REL_12_BR [f946a4091] 2019-06-24 16:43:21 -0400 |
40 | 70 | Branch: REL_11_STABLE [afaf48afb] 2019-06-24 16:43:05 -0400 |
|