Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1tT3D2-0036lI-TE
	for pgsql-general@arkaria.postgresql.org; Wed, 01 Jan 2025 18:12:45 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1tT3D1-009Vxr-MS
	for pgsql-general@arkaria.postgresql.org; Wed, 01 Jan 2025 18:12:43 +0000
Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29])
	by malur.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <adrian.klaver@aklaver.com>)
	id 1tT3D0-009Vxg-Aq
	for pgsql-general@lists.postgresql.org; Wed, 01 Jan 2025 18:12:43 +0000
Received: from fout-b4-smtp.messagingengine.com ([202.12.124.147])
	by magus.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <adrian.klaver@aklaver.com>)
	id 1tT3Cv-002hIJ-EG
	for pgsql-general@lists.postgresql.org; Wed, 01 Jan 2025 18:12:41 +0000
Received: from phl-compute-12.internal (phl-compute-12.phl.internal [10.202.2.52])
	by mailfout.stl.internal (Postfix) with ESMTP id 9E3B51140111;
	Wed,  1 Jan 2025 13:12:34 -0500 (EST)
Received: from phl-mailfrontend-02 ([10.202.2.163])
  by phl-compute-12.internal (MEProxy); Wed, 01 Jan 2025 13:12:34 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aklaver.com; h=
	cc:cc:content-transfer-encoding:content-type:content-type:date
	:date:from:from:in-reply-to:in-reply-to:message-id:mime-version
	:references:reply-to:subject:subject:to:to; s=fm1; t=1735755154;
	 x=1735841554; bh=TcfDq6Lsdx7FQPKzcZ79UT05AW7QL7+LKue3QZvgzUc=; b=
	NnbpVUuajxj6kqESagpdm6I17s4Xd42Uf1CFcJpUm5DCWNmAE7yvrk0quSCEpfJD
	I6y3MQKkGGaG5gH/7gxZKXhiYO2tdb0rrf9YlF0UCd5BRPSYoHksVvqDv7x1e5HN
	mXSpD4bj1Kjbn3VvPV4X+PaTUKY9TN8E4fxNooITAqKBUDSwd1nsJJb/RP+Rv5rs
	qGzv4mnRCJJPObjKTUSkekgVL9lVBfBVBq+TBckJuqI9/iWxGPxvPg2qkUdUkOSJ
	DyRAsSTajHF2pkjQsx+uzQ9Nz5kN7rxo/D87hgGVOiVlDay3DK7HlAzEEvDf3zXG
	Ot3l5AkTiaFOOs00VWBLsw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
	messagingengine.com; h=cc:cc:content-transfer-encoding
	:content-type:content-type:date:date:feedback-id:feedback-id
	:from:from:in-reply-to:in-reply-to:message-id:mime-version
	:references:reply-to:subject:subject:to:to:x-me-proxy
	:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; t=1735755154; x=
	1735841554; bh=TcfDq6Lsdx7FQPKzcZ79UT05AW7QL7+LKue3QZvgzUc=; b=v
	AYjSJjvaUAKQ2ZSP8GFfXBIp+xw8heoh76YQ3kGGaVM30UBV2gnKD4Yy4BPM4JTp
	LbiqzEzk2Ucyx+9+EQ1DOlLDTk8RqBdzhBmGfGbtakQbzE593JwqM3P7HHNG60QO
	DYA/GmzS+RQvhJT+Wz5hJ3fkic/hjPsansb3pOVmTnYZfG65+86VseuaO4kOC5Mu
	VL64pkLjY7XnYVtwrH1YCuW0iL/AfhwkB7dpSPftXf7lqdXbqWYAeyRcEb7f115N
	iifwjbXoPo4OLj8mJrjWUNtkTyzQzQw7mhf9Otpy0CVEMDcZnFChHUs2w4SGPXrz
	0MUcYRliMLaH7L2bYwGcw==
X-ME-Sender: <xms:kYV1Z2YUq4OtWj2olnTl5IHWuBDZaSPHl0njWSZFoFVTpu1hKI-t_g>
    <xme:kYV1Z5ZvKU5v06vFd3zYRz6n8ZOl0Qo7qTIxJ6kYGITBR3pX7uiWX6PGShP4AuK3X
    Sp5IGfzVJJ3IUY>
X-ME-Received: <xmr:kYV1Zw-fjWtErg0fOpocP5ftUv3L03zt43Bi4qjUvpad2opS7_AsVVFjKrBLPp_G3BH4ixAp2gNprxOuuXsV8QF2aTI>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeefuddrudeftddguddutdcutefuodetggdotefrod
    ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpggftfghnshhusghstghrihgsvgdp
    uffrtefokffrpgfnqfghnecuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivg
    hnthhsucdlqddutddtmdenucfjughrpefkffggfgfuvfevfhfhjggtgfesthejredttddv
    jeenucfhrhhomheptegurhhirghnucfmlhgrvhgvrhcuoegrughrihgrnhdrkhhlrghvvg
    hrsegrkhhlrghvvghrrdgtohhmqeenucggtffrrghtthgvrhhnpeeuudefjeejgffgtddt
    geehgfekueevkeekieettedtkeffheeivdethfevffegueenucffohhmrghinhepphhosh
    htghhrvghsqhhlrdhorhhgnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehm
    rghilhhfrhhomheprggurhhirghnrdhklhgrvhgvrhesrghklhgrvhgvrhdrtghomhdpnh
    gspghrtghpthhtohepfedpmhhouggvpehsmhhtphhouhhtpdhrtghpthhtohepjhgsvgdq
    mhhlihhsthesmhgrghhnvghtkhgvrhhnrdguvgdprhgtphhtthhopehpghhsqhhlqdhgvg
    hnvghrrghlsehlihhsthhsrdhpohhsthhgrhgvshhqlhdrohhrghdprhgtphhtthhopegu
    rghvihgurdhgrdhjohhhnhhsthhonhesghhmrghilhdrtghomh
X-ME-Proxy: <xmx:kYV1Z4qf6_B6gF4aaASytY170JUmQp3MrCpIQ71oPDrOkcXy54HZ3Q>
    <xmx:kYV1ZxquJEGrj0ya-0QadiKNQzfw8UqxrdKs06x5weMvF11cv_dauw>
    <xmx:kYV1Z2QZ6D2jBq-3nHwtf-4ZP7p4M7Q-Yc9rBHod9euhFvEg6iKv4g>
    <xmx:kYV1Zxo5cHWBP_PNkuGIikNoRp4No6408qJyIou4byqoXFRpZZxj2Q>
    <xmx:koV1Z4XHzM-51bPceXFfJcDgd2zl2fTNY076M5EWTK_xvaPDhpxRWNGJ>
Feedback-ID: i76984098:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Wed,
 1 Jan 2025 13:12:33 -0500 (EST)
Message-ID: <369dee18-3100-44a5-81af-1baa56c728bd@aklaver.com>
Date: Wed, 1 Jan 2025 10:12:32 -0800
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Subject: Re: search_path for PL/pgSQL functions partially cached?
To: Jan Behrens <jbe-mlist@magnetkern.de>,
 "pgsql-general@lists.postgresql.org" <pgsql-general@lists.postgresql.org>
Cc: "David G. Johnston" <david.g.johnston@gmail.com>
References: <20241227205025.1d059f72c7c08d23c9648c26@magnetkern.de>
 <CAKFQuwb4hgHH=Z6cx5Hh_qc10TCYMb1QVfP3099X1Psmyw0r3Q@mail.gmail.com>
 <20241228004009.267f21b78394c934f27f9974@magnetkern.de>
 <20250101185504.3d50c571c3448512e94288e8@magnetkern.de>
Content-Language: en-US
From: Adrian Klaver <adrian.klaver@aklaver.com>
In-Reply-To: <20250101185504.3d50c571c3448512e94288e8@magnetkern.de>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
List-Id: <pgsql-general.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-general@lists.postgresql.org>
List-Owner: <mailto:pgsql-general-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-general>
Archived-At: <https://www.postgresql.org/message-id/369dee18-3100-44a5-81af-1baa56c728bd%40aklaver.com>
Precedence: bulk

On 1/1/25 09:55, Jan Behrens wrote:
> On Sat, 28 Dec 2024 00:40:09 +0100
> Jan Behrens <jbe-mlist@magnetkern.de> wrote:
> 
>> On Fri, 27 Dec 2024 13:26:28 -0700
>> "David G. Johnston" <david.g.johnston@gmail.com> wrote:
>>
>>>> Or is it documented somewhere?
>>>
>>> https://www.postgresql.org/docs/current/plpgsql-implementation.html#PLPGSQL-PLAN-CACHING
>>
>> I can't find any notes regarding functions and schemas in that section.
> 
> Actually, I found another note in the documentation. But it doesn't
> explain things correctly. In the documentation for PostgreSQL 17,
> section 36.17.6.1. (Security Considerations for Extension Functions)
> says:
> 
> "SQL-language and PL-language functions provided by extensions are at
> risk of search-path-based attacks when they are executed, since parsing
> of these functions occurs at execution time not creation time."
> 
> https://www.postgresql.org/docs/17/extend-extensions.html#EXTEND-EXTENSIONS-SECURITY
> 
> So here, the manual explicity states that functions are parsed at
> execution, not creation time. As seen in my original example in this
> thread, this isn't (fully) true. Moreover, it isn't true for all
> SQL-language functions, as can be demonstrated with the following code:
> 
> ============
> 
> CREATE SCHEMA s1;
> CREATE SCHEMA s2;
> 
> CREATE VIEW s1.v AS SELECT 'creation' AS col;
> CREATE VIEW s2.v AS SELECT 'runtime' AS col;
> 
> SET search_path TO 'public', 's1';
> 
> CREATE FUNCTION use_sql_atomic() RETURNS TEXT LANGUAGE sql BEGIN ATOMIC
>    SELECT 'use_sql_atomic = ' || col FROM v;
> END;
> 
> CREATE FUNCTION use_sql_string() RETURNS TEXT LANGUAGE sql AS $$
>    SELECT 'use_sql_string = ' || col FROM v;
> $$;
> 
> CREATE FUNCTION use_plpgsql() RETURNS TEXT LANGUAGE plpgsql AS $$ BEGIN
>    RETURN (SELECT 'use_plpgsql = ' || col FROM v);
> END; $$;
> 
> SET search_path TO 'public', 's2';
> 
> SELECT use_sql_atomic() AS "output" UNION ALL
> SELECT use_sql_string() AS "output" UNION ALL
> SELECT use_plpgsql() AS "output";
> 
> ============
> 
> This generates the following output:
> 
>            output
> ---------------------------
>   use_sql_atomic = creation
>   use_sql_string = runtime
>   use_plpgsql = runtime
> (3 rows)
> 
> Overall, PostgreSQL doesn't behave consistent, and to me it seems that
> the documentation isn't describing its behavior correctly either.

https://www.postgresql.org/docs/current/sql-createfunction.html

"sql_body

     The body of a LANGUAGE SQL function. This can either be a single 
statement

     RETURN expression

     or a block

     BEGIN ATOMIC
       statement;
       statement;
       ...
       statement;
     END

     This is similar to writing the text of the function body as a 
string constant (see definition above), but there are some differences: 
This form only works for LANGUAGE SQL, the string constant form works 
for all languages. This form is parsed at function definition time, the 
string constant form is parsed at execution time; therefore this form 
cannot support polymorphic argument types and other constructs that are 
not resolvable at function definition time. This form tracks 
dependencies between the function and objects used in the function body, 
so DROP ... CASCADE will work correctly, whereas the form using string 
literals may leave dangling functions. Finally, this form is more 
compatible with the SQL standard and other SQL implementations.
"

> 
> I understand if fixing this is too much work (even though I would
> really like to see this fixed). But given that the current behavior is
> highly surprising and inconsistent - and keeping in mind that this is a
> subject that may affect security - I think the documentation should
> reflect the current behavior at least. I thus see this as a
> documentation issue.
> 
> Kind regards,
> Jan Behrens
> 
> 

-- 
Adrian Klaver
adrian.klaver@aklaver.com