mirror of
https://github.com/postgres/postgres.git
synced 2025-06-27 23:21:58 +03:00
b97857b676
Commit 5770172cb0 wrote, incorrectly, that
certain schema usage patterns are secure against CREATEROLE users and
database owners. When an untrusted user is the database owner or holds
CREATEROLE privilege, a query is secure only if its session started with
SELECT pg_catalog.set_config('search_path', '', false) or equivalent.
Back-patch to 9.4 (all supported versions).
Discussion: https://postgr.es/m/20191013013512.GC4131753@rfd.leadboat.com