Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1qUoTM-00EsRy-46 for pgsql-hackers@arkaria.postgresql.org; Sat, 12 Aug 2023 13:16:04 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1qUoTK-000Csj-Cn for pgsql-hackers@arkaria.postgresql.org; Sat, 12 Aug 2023 13:16:02 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1qUoTJ-000Csb-MJ for pgsql-hackers@lists.postgresql.org; Sat, 12 Aug 2023 13:16:02 +0000 Received: from mail-yw1-x1132.google.com ([2607:f8b0:4864:20::1132]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1qUoTG-0024LH-S1 for pgsql-hackers@postgresql.org; Sat, 12 Aug 2023 13:16:01 +0000 Received: by mail-yw1-x1132.google.com with SMTP id 00721157ae682-584243f84eeso31690077b3.0 for ; Sat, 12 Aug 2023 06:15:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=joeconway.com; s=google; t=1691846156; x=1692450956; h=content-transfer-encoding:in-reply-to:subject:from:references:to :content-language:user-agent:mime-version:date:message-id:from:to:cc :subject:date:message-id:reply-to; bh=LGC4Z8ecR984OosJsVRS/rKrpQQzesyAEMFTIa3HcM0=; b=F87/jZ7Lr0suCe4D7tBl7PqeJ5KBJk4qY6HeloprQoUTOBd9MW1t+fuouVh17/+aMP 3k2N3SgKCONaazFRx5h27HPo0f3pE3Adi/D4kW3kSUIRJTvZOHUXKObJfKMGjBj+fc1q g5tJfsLq0w5gnbYM80EdlKYPkS/urYOMKlsak7LtJ3J6fTaC6f2XTpNegUvkWvmMaeb5 c6jkBJkqQeirXYTiVV1OzzoGQTDWnPL/2PnMWDgEVCINGiViCrCuvqcrLCSDaU6b3yFM sv3PHRbDYg3bywMv2d5W7loCyk0fIQFCQkuWRCBPKte4SJ6s8131XwgHekneDeC35PmJ C7IQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1691846156; x=1692450956; h=content-transfer-encoding:in-reply-to:subject:from:references:to :content-language:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=LGC4Z8ecR984OosJsVRS/rKrpQQzesyAEMFTIa3HcM0=; b=hcMXglTYFansdyRHOFe5v6pOg0LpbqmykHru3JO4bw7eiL7c3LgJEA4zybqtENxQzQ I0aRRE9/oRh+P8VeCaBiZI1r9YZmtstLe24qGLlVEmnzBk5r4w2vUmkztGFaCdn+PBjb rOyOvK9H4wERi2S2xjDpXNLL8mCRKF5mwH6NiWGLaSEq/ozfgmzYeNy1+MIT45jTAi45 waNY3l/AIiyuxPMeSbajlK5KbtNHwk6EslmXuL2vyIoKgCR4hF1MuEX1z7acMT88SY+t A9mwMosMNqAJgbaDuhCv4PpD2yIyaAwAAdjPe9aJVZroMy0laO5KabaL2dkxyoKiYzCu RIRA== X-Gm-Message-State: AOJu0YwdUbBNcRhsSefeUA0OD1OdwHBGef89hQZANVW1dBwoZSE0xi6I jAL3hSrhBQ0gimoaxkz3A9C/4g== X-Google-Smtp-Source: AGHT+IEvuBApeJp7moF3owIsG/PaZ0W1W+UW5VMQZWYhQAm+7LgBHTT4SnKLpW+thBMZvcEU+npl5g== X-Received: by 2002:a05:690c:3389:b0:579:f5c2:b16e with SMTP id fl9-20020a05690c338900b00579f5c2b16emr6301820ywb.31.1691846156304; Sat, 12 Aug 2023 06:15:56 -0700 (PDT) Received: from [192.168.4.41] (162-239-31-113.lightspeed.dybhfl.sbcglobal.net. [162.239.31.113]) by smtp.gmail.com with ESMTPSA id r30-20020a81441e000000b005836fc7df19sm1609435ywa.81.2023.08.12.06.15.55 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sat, 12 Aug 2023 06:15:55 -0700 (PDT) Message-ID: <0e51f9e2-9272-ccb3-9219-39d7695f7c50@joeconway.com> Date: Sat, 12 Aug 2023 09:15:55 -0400 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.13.0 Content-Language: en-US To: Jeff Davis , pgsql-hackers@postgresql.org References: <2710f56add351a1ed553efb677408e51b060e67c.camel@j-davis.com> From: Joe Conway Subject: Re: CREATE FUNCTION ... SEARCH { DEFAULT | SYSTEM | SESSION } In-Reply-To: <2710f56add351a1ed553efb677408e51b060e67c.camel@j-davis.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On 8/11/23 22:35, Jeff Davis wrote: > The attached patch implements a new SEARCH clause for CREATE FUNCTION. > The SEARCH clause controls the search_path used when executing > functions that were created without a SET clause. > > Background: > > Controlling search_path is critical for the correctness and security of > functions. Right now, the author of a function without a SET clause has > little ability to control the function's behavior, because even basic > operators like "+" involve search_path. This is a big problem for, e.g. > functions used in expression indexes which are called by any user with > write privileges on the table. > > Motivation: > > I'd like to (eventually) get to safe-by-default behavior. In other > words, the simplest function declaration should be safe for the most > common use cases. I agree with the general need. > Add SEARCH { DEFAULT | SYSTEM | SESSION } clause to CREATE/ALTER > function. > > * SEARCH DEFAULT is the same as no SEARCH clause at all, and ends up > stored in the catalog as prosearch='d'. > * SEARCH SYSTEM means that we switch to the safe search path of > "pg_catalog, pg_temp" when executing the function. Stored as > prosearch='y'. > * SEARCH SESSION means that we don't switch the search_path when > executing the function, and it's inherited from the session. Stored as > prosearch='e'. It isn't clear to me what is the precise difference between DEFAULT and SESSION > 2. We can more accurately serve the user's intent. For instance, the > safe search_path of "pg_catalog, pg_temp" is arcane and seems to be > there just because we don't have a way to specify that pg_temp be > excluded entirely. But perhaps in the future we *do* want to exclude > pg_temp entirely. Knowing that the user just wants "SEARCH SYSTEM" > allows us some freedom to do that. Personally I think having pg_temp in the SYSTEM search path makes sense for temp tables, but I find it easy to forget that functions can be created by unprivileged users in pg_temp, and therefore having pg_temp in the search path for functions is dangerous. -- Joe Conway PostgreSQL Contributors Team RDS Open Source Databases Amazon Web Services: https://aws.amazon.com