Document security implications of check_function_bodies.

Back-patch to 8.4 (all supported versions).

Document security implications of check_function_bodies.
Back-patch to 8.4 (all supported versions).
540b4e5b · Noah Misch · 537cbd35 · 540b4e5b · 540b4e5b
Commit 540b4e5b authored Feb 17, 2014 by Noah Misch
Show whitespace changes
Inline Side-by-side

Showing with 12 additions and 8 deletions

doc/src/sgml/config.sgml doc/src/sgml/config.sgml +5 -3

doc/src/sgml/plhandler.sgml doc/src/sgml/plhandler.sgml +7 -5

No files found.
--- a/doc/src/sgml/config.sgml
+++ b/doc/src/sgml/config.sgml
@@ -5153,9 +5153,11 @@ COPY postgres_log FROM '/full/path/to/logfile.csv' WITH csv;
       <para>
        This parameter is normally on. When set to <literal>off</>, it
        disables validation of the function body string during <xref
-        linkend="sql-createfunction">. Disabling validation is
-        occasionally useful to avoid problems such as forward references
-        when restoring function definitions from a dump.
+        linkend="sql-createfunction">.  Disabling validation avoids side
+        effects of the validation process and avoids false positives due
+        to problems such as forward references.  Set this parameter
+        to <literal>off</> before loading functions on behalf of other
+        users; <application>pg_dump</> does so automatically.
       </para>
      </listitem>
     </varlistentry>

--- a/doc/src/sgml/plhandler.sgml
+++ b/doc/src/sgml/plhandler.sgml
@@ -194,11 +194,13 @@ CREATE LANGUAGE plsample
   <para>
    Validator functions should typically honor the <xref
    linkend="guc-check-function-bodies"> parameter: if it is turned off then
-    any expensive or context-sensitive checking should be skipped.
-    In particular, this parameter is turned off by <application>pg_dump</>
-    so that it can load procedural language functions without worrying
-    about possible dependencies of the function bodies on other database
-    objects.  (Because of this requirement, the call handler should avoid
+    any expensive or context-sensitive checking should be skipped.  If the
+    language provides for code execution at compilation time, the validator
+    must suppress checks that would induce such execution.  In particular,
+    this parameter is turned off by <application>pg_dump</> so that it can
+    load procedural language functions without worrying about side effects or
+    dependencies of the function bodies on other database objects.
+    (Because of this requirement, the call handler should avoid
    assuming that the validator has fully checked the function.  The point
    of having a validator is not to let the call handler omit checks, but
    to notify the user immediately if there are obvious errors in a