git.postgresql.org Git - postgresql.git/commitdiff

git projects / postgresql.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 87af12e)
Doc: stop implying recommendation of insecure search_path value.
author Noah Misch <noah@leadboat.com>
Thu, 1 May 2025 23:51:59 +0000 (16:51 -0700)
committer Noah Misch <noah@leadboat.com>
Thu, 1 May 2025 23:52:03 +0000 (16:52 -0700)
SQL "SET search_path = 'pg_catalog, pg_temp'" is silently equivalent to
"SET search_path = pg_temp, pg_catalog, "pg_catalog, pg_temp"" instead
of the intended "SET search_path = pg_catalog, pg_temp". (The intent
was a two-element search path. With the single quotes, it instead
specifies one element with a comma and a space in the middle of the
element.) In addition to the SET statement, this affects SET clauses of
CREATE FUNCTION, ALTER ROLE, and ALTER DATABASE. It does not affect the
set_config() SQL function.

Though the documentation did not show an insecure command, remove single
quotes that could entice a reader to write an insecure command.
Back-patch to v13 (all supported versions).

Reported-by: Sven Klemm <sven@timescale.com>
Author: Sven Klemm <sven@timescale.com>
Backpatch-through: 13

doc/src/sgml/extend.sgml patch | blob | blame | history

diff --git a/doc/src/sgml/extend.sgml b/doc/src/sgml/extend.sgml
index 46e873a1661b2adf42fe4937aed55a2336764940..adde17ee0640946c449d92d2bb820dd00cb087df 100644 (file)
--- a/doc/src/sgml/extend.sgml
+++ b/doc/src/sgml/extend.sgml
@@ -1300,8 +1300,8 @@ SELECT * FROM pg_extension_update_paths('<replaceable>extension_name</replaceabl
secure <varname>search_path</varname>; do <emphasis>not</emphasis>
trust the path provided by <command>CREATE/ALTER EXTENSION</command>
to be secure. Best practice is to temporarily
- set <varname>search_path</varname> to <literal>'pg_catalog,
- pg_temp'</literal> and insert references to the extension's
+ set <varname>search_path</varname> to <literal>pg_catalog,
+ pg_temp</literal> and insert references to the extension's
installation schema explicitly where needed. (This practice might
also be helpful for creating views.) Examples can be found in
the <filename>contrib</filename> modules in
This is the main PostgreSQL git repository.
RSS Atom

AltStyle によって変換されたページ (->オリジナル) /