tag:blogger.com,1999:blog-7476449567742726187.post4180947259811573238..comments2023-12-18T12:25:52.296-08:00Comments on Database Soup: Today's Security Update: XML vulnerabilitiesJosh Berkushttp://www.blogger.com/profile/09671139717468724246noreply@blogger.comBlogger2125tag:blogger.com,1999:blog-7476449567742726187.post-89089959008000508952012-08-17T16:37:47.147-07:002012-08-17T16:37:47.147-07:00Intgr,
No, you're correct. xmlparse() is a l...Intgr,<br /><br />No, you're correct. xmlparse() is a low-level function and it doesn't have specific permissions. I've revised my blog post accordingly.Josh Berkushttps://www.blogger.com/profile/09671139717468724246noreply@blogger.comtag:blogger.com,1999:blog-7476449567742726187.post-50334923398989515892012-08-17T16:31:29.967-07:002012-08-17T16:31:29.967-07:00> the obvious workaround for the xml_parse() is...> the obvious workaround for the xml_parse() issue is to revoke EXECUTE permission on the function from "public" and all users<br /><br />Erm, which "the function"? There is no "xml_parse" function. As far as I can tell SQLPARSE() is a SQL-level construct. The release notes are very confusing with regards to this, too.<br /><br />"\df *parse*" only displays some irrelevant functions.<br /><br />Here's what I tried:<br />create role someuser;<br />revoke execute on function xml_in(cstring) from someuser;<br />revoke execute on function xml_in(xml, text) from someuser;<br />revoke execute on function xmlvalidate(xml, text) from someuser;<br />revoke execute on function xml_is_well_formed(text) from someuser;<br />revoke execute on function xml_is_well_formed_content(text) from someuser;<br />revoke execute on function xml_is_well_formed_document(text) from someuser;<br /><br />set role=someuser;<br />select xmlparse(document '');<br /><br />Still doesn't prevent the usage of xmlparse(), what am I missing?<br />intgrhttps://www.blogger.com/profile/14696232909148155489noreply@blogger.com