From: | Bruce Momjian <bruce(at)momjian(dot)us> |
---|---|
To: | Erki Eessaar <erki(dot)eessaar(at)taltech(dot)ee> |
Cc: | "pgsql-docs(at)lists(dot)postgresql(dot)org" <pgsql-docs(at)lists(dot)postgresql(dot)org> |
Subject: | Re: SQL-standard function bodies and creating SECURITY DEFINER routines securely |
Date: | 2022-09-28 17:07:43 |
Message-ID: | YzR/X5Hhyu4HaUj2@momjian.us |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-docs |
On Tue, Aug 16, 2022 at 03:32:36PM -0400, Bruce Momjian wrote:
> On Sat, Dec 25, 2021 at 02:36:27PM +0000, Erki Eessaar wrote:
> >
> > Hello
> >
> > PostgreSQL 14 added the feature: "Allow SQL-language functions and procedures
> > to use SQL-standard function bodies."
> >
> > If I understand correctly, then in this case the system will track
> > dependencies between tables and routines that use the tables. Thus, the
> > SECURITY DEFINER routines that use the new approach do not require the
> > following mitigation, i.e., SET search_path= is not needed. The following part
> > of documentation does not mention this.
> >
> > https://www.postgresql.org/docs/current/sql-createfunction.html#
> > SQL-CREATEFUNCTION-SECURITY
> >
> > [elephant] PostgreSQL: Documentation: 14: CREATE FUNCTION
> > Overloading. PostgreSQL allows function overloading; that is, the
> > same name can be used for several different functions so long as
> > they have distinct input argument types.Whether or not you use it,
> > this capability entails security precautions when calling functions
> > in databases where some users mistrust other users; see Section
> > 10.3.. Two functions are considered the same if they have the same
> > ...
> > www.postgresql.org
>
> I have written the attached patch to mention this issue about sql_body
> functions.
The doc patch was reverted based on feedback in this email thread:
If you think we should add new wording, please suggest it, thanks.
--
Bruce Momjian <bruce(at)momjian(dot)us> https://momjian.us
EDB https://enterprisedb.com
Indecision is a decision. Inaction is an action. Mark Batterson
From | Date | Subject | |
---|---|---|---|
Next Message | Bruce Momjian | 2022-09-28 17:35:56 | Re: Developer FAQ Dead Link |
Previous Message | Bruce Momjian | 2022-09-28 17:05:53 | Re: SQL-standard function bodies and creating SECURITY DEFINER routines securely |