On 03/15/2018 04:00 PM, Foolish Ewe wrote:
Hello All:
A number of our team members and I use pg_dump to export schema in an
Ubuntu 16.04 environment, I happen to have a postgress 9.6.4 server
that runs in a docker container, and in some cases I see the following
select statement and fully qualified table names in the
CREATE TABLE and ALTER TABLE statements:
SELECT pg_catalog.set_config('search_path', '', false);
CREATE TABLE database_name.table_name
I am pretty sure you are actually seeing:
CREATE TABLE schema_name.table_name
and likewise for ALTER TABLE.
But other users (who haven't updated their systems recently) do not see
the SELECT statement and we see unqualified table names, e.g.:
CREATE TABLE table_name
These changes in format impact our workflows, we would prefer to have
unqualified table names.
Does anyone have an idea of what might cause this? Is there something
we can do on the client side to avoid getting qualified table names?
The reason:
https://www.postgresql.org/about/news/1834/
"The purpose of this release is to address CVE-2018-1058, which
describes how a user can create like-named objects in different schemas
that can change the behavior of other users' queries and cause
unexpected or malicious behavior, also known as a "trojan-horse" attack. "
More information
https://wiki.postgresql.org/wiki/A_Guide_to_CVE-2018-1058:_Protect_Your_Search_Path
There is no flag to unset this.
With best regards:
Bill
--
Adrian Klaver
adrian.klaver@xxxxxxxxxxx
