Skip to content

Commit ce150e7

Browse files
tglsfdctglsfdc
committed
Improve documentation about search_path for SECURITY DEFINER functions.
Clarify that the reason for recommending that pg_temp be put last is to prevent temporary tables from capturing unqualified table names. Per discussion with Albe Laurenz. Discussion: <A737B7A37273E048B164557ADEF4A58B5386C6E1@ntex2010i.host.magwien.gv.at>
1 parent 63cfdb8 commit ce150e7

File tree

1 file changed

+11
-5
lines changed

1 file changed

+11
-5
lines changed

doc/src/sgml/ref/create_function.sgml

Lines changed: 11 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -750,14 +750,14 @@ SELECT * FROM dup(42);
750750
ensure that the function cannot be misused. For security,
751751
<xref linkend="guc-search-path"> should be set to exclude any schemas
752752
writable by untrusted users. This prevents
753-
malicious users from creating objects that mask objects used by the
754-
function. Particularly important in this regard is the
753+
malicious users from creating objects (e.g., tables, functions, and
754+
operators) that mask objects intended to be used by the function.
755+
Particularly important in this regard is the
755756
temporary-table schema, which is searched first by default, and
756757
is normally writable by anyone. A secure arrangement can be obtained
757758
by forcing the temporary schema to be searched last. To do this,
758759
write <literal>pg_temp</><indexterm><primary>pg_temp</><secondary>securing functions</></> as the last entry in <varname>search_path</>.
759760
This function illustrates safe usage:
760-
</para>
761761

762762
<programlisting>
763763
CREATE FUNCTION check_password(uname TEXT, pass TEXT)
@@ -776,11 +776,17 @@ $$ LANGUAGE plpgsql
776776
SET search_path = admin, pg_temp;
777777
</programlisting>
778778

779+
This function's intention is to access a table <literal>admin.pwds</>.
780+
But without the <literal>SET</> clause, or with a <literal>SET</> clause
781+
mentioning only <literal>admin</>, the function could be subverted by
782+
creating a temporary table named <literal>pwds</>.
783+
</para>
784+
779785
<para>
780786
Before <productname>PostgreSQL</productname> version 8.3, the
781-
<literal>SET</> option was not available, and so older functions may
787+
<literal>SET</> clause was not available, and so older functions may
782788
contain rather complicated logic to save, set, and restore
783-
<varname>search_path</>. The <literal>SET</> option is far easier
789+
<varname>search_path</>. The <literal>SET</> clause is far easier
784790
to use for this purpose.
785791
</para>
786792

0 commit comments

Comments
 (0)
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy