• Tom Lane's avatar
    Install a data-type-based solution for protecting pg_get_expr(). · 303696c3
    Tom Lane authored
    Since the code underlying pg_get_expr() is not secure against malformed
    input, and can't practically be made so, we need to prevent miscreants
    from feeding arbitrary data to it.  We can do this securely by declaring
    pg_get_expr() to take a new datatype "pg_node_tree" and declaring the
    system catalog columns that hold nodeToString output to be of that type.
    There is no way at SQL level to create a non-null value of type pg_node_tree.
    Since the backend-internal operations that fill those catalog columns
    operate below the SQL level, they are oblivious to the datatype relabeling
    and don't need any changes.
    303696c3
pg_cast.h 11.5 KB