jian he <jian.universality@xxxxxxxxx> writes: > The following Todo item seems already resolved in pg15. > https://wiki.postgresql.org/wiki/Todo#Triggers >> Tighten trigger permission checks >> - Security leak with trigger functions? >> <http://archives.postgresql.org/pgsql-hackers/2006-12/msg00564.php> > But it seems to not appear in the pg15 release notes. (I searched for the > keywords "trigger" and "function"). The case shown at the head of that thread was fixed more than a decade ago, cf commit 891e6e7bf (CVE-2012-0866). However, the followup questions discussed in the thread are still live: should there be a run-time not only trigger-creation-time privilege check, and if so what should it check exactly? And is a separate TRIGGER privilege even reasonable, rather than just saying you must be table owner to create a trigger? regards, tom lane
