Home > mailing lists

Re: Potential vuln in example for "F.25.1.1. digest()" - Mailing list pgsql-docs

From	David G. Johnston
Subject	Re: Potential vuln in example for "F.25.1.1. digest()"
Date	August 17, 2021 18:06:34
Msg-id	CAKFQuwZVWK8J3Nw+f=ERH_2hG6iFTVkOc0ciDX1a8vnAb11+HQ@mail.gmail.com Whole thread Raw
In response to	Potential vuln in example for "F.25.1.1. digest()" (PG Doc comments form <noreply@postgresql.org>)
Responses	Re: Potential vuln in example for "F.25.1.1. digest()"
List	pgsql-docs

Tree view

On Tuesday, August 17, 2021, PG Doc comments form <noreply@postgresql.org> wrote:

The following documentation comment has been logged on the website:

Page: https://www.postgresql.org/docs/13/pgcrypto.html
Description:

Hi,
in "F.25.1.1. digest()" you suggest:

CREATE OR REPLACE FUNCTION sha1(bytea) returns text AS $$
SELECT encode(digest($1, 'sha1'), 'hex')
$$ LANGUAGE SQL STRICT IMMUTABLE;

While this is a great example, it may expose a database app to
vulnerabilities if the attacker succeeds in overriding the function
sha1(...) in the app's user context (schema)

You should read this:

https://wiki.postgresql.org/wiki/A_Guide_to_CVE-2018-1058%3A_Protect_Your_Search_Path

David J.

pgsql-docs by date:

From: PG Doc comments form
Date: 17 August 2021, 16:11:53
Subject: Potential vuln in example for "F.25.1.1. digest()"

From: Tom Lane
Date: 17 August 2021, 18:33:17
Subject: Re: Potential vuln in example for "F.25.1.1. digest()"

Re: Potential vuln in example for "F.25.1.1. digest()" - Mailing list pgsql-docs

Previous

Next