projects / postgresql.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 06a2c59) | patch
Doc: stop implying recommendation of insecure search_path value.
authorNoah Misch <[email protected]>
Thu, 1 May 2025 23:51:59 +0000 (16:51 -0700)
committerNoah Misch <[email protected]>
Thu, 1 May 2025 23:52:04 +0000 (16:52 -0700)
commitfd0af4906c1ad0c8b5aa58990b6b37c5d11cb428
tree8163a09cafd24be4e5758a8c2dd1201f19f64243tree
parent06a2c598e10b0f698b57a6c0be7ebafd19a5d6f1commit | diff
Doc: stop implying recommendation of insecure search_path value.

SQL "SET search_path = 'pg_catalog, pg_temp'" is silently equivalent to
"SET search_path = pg_temp, pg_catalog, "pg_catalog, pg_temp"" instead
of the intended "SET search_path = pg_catalog, pg_temp".  (The intent
was a two-element search path.  With the single quotes, it instead
specifies one element with a comma and a space in the middle of the
element.)  In addition to the SET statement, this affects SET clauses of
CREATE FUNCTION, ALTER ROLE, and ALTER DATABASE.  It does not affect the
set_config() SQL function.

Though the documentation did not show an insecure command, remove single
quotes that could entice a reader to write an insecure command.
Back-patch to v13 (all supported versions).

Reported-by: Sven Klemm <[email protected]>
Author: Sven Klemm <[email protected]>
Backpatch-through: 13
doc/src/sgml/extend.sgml diff | blob | blame | history
This is the main PostgreSQL git repository.