Thread: wiki.postgres Tighten trigger permission checks already resolved
Hi.
The following Todo item seems already resolved in pg15.
Tighten trigger permission checks
But it seems to not appear in the pg15 release notes. (I searched for the keywords "trigger" and "function").
jian he <jian.universality@gmail.com> writes: > The following Todo item seems already resolved in pg15. > https://wiki.postgresql.org/wiki/Todo#Triggers >> Tighten trigger permission checks >> - Security leak with trigger functions? >> <http://archives.postgresql.org/pgsql-hackers/2006-12/msg00564.php> > But it seems to not appear in the pg15 release notes. (I searched for the > keywords "trigger" and "function"). The case shown at the head of that thread was fixed more than a decade ago, cf commit 891e6e7bf (CVE-2012-0866). However, the followup questions discussed in the thread are still live: should there be a run-time not only trigger-creation-time privilege check, and if so what should it check exactly? And is a separate TRIGGER privilege even reasonable, rather than just saying you must be table owner to create a trigger? regards, tom lane