Home > mailing lists

pgsql: Doc: stop implying recommendation of insecure search_path value. - Mailing list pgsql-committers

From	Noah Misch
Subject	pgsql: Doc: stop implying recommendation of insecure search_path value.
Date	May 2 02:53:48
Msg-id	E1uAdiu-000Xqd-1k@gemulon.postgresql.org Whole thread Raw
List	pgsql-committers

Tree view

Doc: stop implying recommendation of insecure search_path value.

SQL "SET search_path = 'pg_catalog, pg_temp'" is silently equivalent to
"SET search_path = pg_temp, pg_catalog, "pg_catalog, pg_temp"" instead
of the intended "SET search_path = pg_catalog, pg_temp".  (The intent
was a two-element search path.  With the single quotes, it instead
specifies one element with a comma and a space in the middle of the
element.)  In addition to the SET statement, this affects SET clauses of
CREATE FUNCTION, ALTER ROLE, and ALTER DATABASE.  It does not affect the
set_config() SQL function.

Though the documentation did not show an insecure command, remove single
quotes that could entice a reader to write an insecure command.
Back-patch to v13 (all supported versions).

Reported-by: Sven Klemm <sven@timescale.com>
Author: Sven Klemm <sven@timescale.com>
Backpatch-through: 13

Branch
------
REL_14_STABLE

Details
-------
https://git.postgresql.org/pg/commitdiff/16f911ced6bdc368c41865c0a2250462a69a4e66

Modified Files
--------------
doc/src/sgml/extend.sgml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

pgsql-committers by date:

From: Robins Tharakan
Date: 02 May, 00:58:59
Subject: Re: pgsql: doc: Warn that ts_headline() output is not HTML-safe.

From: Bruce Momjian
Date: 02 May, 05:37:23
Subject: pgsql: doc: first draft of the PG 18 release notes

pgsql: Doc: stop implying recommendation of insecure search_path value. - Mailing list pgsql-committers

Previous

Next