Skip to content

P
Postgres FD Implementation
Commit ce150e7e authored by Tom Lane's avatar Tom Lane
Browse files
Options

Improve documentation about search_path for SECURITY DEFINER functions. 

Clarify that the reason for recommending that pg_temp be put last is to
prevent temporary tables from capturing unqualified table names.  Per
discussion with Albe Laurenz.

Discussion: <A737B7A37273E048B164557ADEF4A58B5386C6E1@ntex2010i.host.magwien.gv.at>
parent 63cfdb8d
Hide whitespace changes
Inline Side-by-side
Showing with 11 additions and 5 deletions
doc/src/sgml/ref/create_function.sgml
View file @ ce150e7e
...@@ -750,14 +750,14 @@ SELECT * FROM dup(42); ...@@ -750,14 +750,14 @@ SELECT * FROM dup(42);
ensure that the function cannot be misused. For security, ensure that the function cannot be misused. For security,
<xref linkend="guc-search-path"> should be set to exclude any schemas <xref linkend="guc-search-path"> should be set to exclude any schemas
writable by untrusted users. This prevents writable by untrusted users. This prevents
malicious users from creating objects that mask objects used by the malicious users from creating objects (e.g., tables, functions, and
function. Particularly important in this regard is the operators) that mask objects intended to be used by the function.
Particularly important in this regard is the
temporary-table schema, which is searched first by default, and temporary-table schema, which is searched first by default, and
is normally writable by anyone. A secure arrangement can be obtained is normally writable by anyone. A secure arrangement can be obtained
by forcing the temporary schema to be searched last. To do this, by forcing the temporary schema to be searched last. To do this,
write <literal>pg_temp</><indexterm><primary>pg_temp</><secondary>securing functions</></> as the last entry in <varname>search_path</>. write <literal>pg_temp</><indexterm><primary>pg_temp</><secondary>securing functions</></> as the last entry in <varname>search_path</>.
This function illustrates safe usage: This function illustrates safe usage:
</para>
<programlisting> <programlisting>
CREATE FUNCTION check_password(uname TEXT, pass TEXT) CREATE FUNCTION check_password(uname TEXT, pass TEXT)
...@@ -776,11 +776,17 @@ $$ LANGUAGE plpgsql ...@@ -776,11 +776,17 @@ $$ LANGUAGE plpgsql
SET search_path = admin, pg_temp; SET search_path = admin, pg_temp;
</programlisting> </programlisting>
This function's intention is to access a table <literal>admin.pwds</>.
But without the <literal>SET</> clause, or with a <literal>SET</> clause
mentioning only <literal>admin</>, the function could be subverted by
creating a temporary table named <literal>pwds</>.
</para>
<para> <para>
Before <productname>PostgreSQL</productname> version 8.3, the Before <productname>PostgreSQL</productname> version 8.3, the
<literal>SET</> option was not available, and so older functions may <literal>SET</> clause was not available, and so older functions may
contain rather complicated logic to save, set, and restore contain rather complicated logic to save, set, and restore
<varname>search_path</>. The <literal>SET</> option is far easier <varname>search_path</>. The <literal>SET</> clause is far easier
to use for this purpose. to use for this purpose.
</para> </para>
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment