From c6a26e4ccd1bf090ab755df2f597103798284d3a Mon Sep 17 00:00:00 2001 From: Noah Misch Date: Thu, 1 May 2025 16:51:59 -0700 Subject: [PATCH] Doc: stop implying recommendation of insecure search_path value. SQL "SET search_path = 'pg_catalog, pg_temp'" is silently equivalent to "SET search_path = pg_temp, pg_catalog, "pg_catalog, pg_temp"" instead of the intended "SET search_path = pg_catalog, pg_temp". (The intent was a two-element search path. With the single quotes, it instead specifies one element with a comma and a space in the middle of the element.) In addition to the SET statement, this affects SET clauses of CREATE FUNCTION, ALTER ROLE, and ALTER DATABASE. It does not affect the set_config() SQL function. Though the documentation did not show an insecure command, remove single quotes that could entice a reader to write an insecure command. Back-patch to v13 (all supported versions). Reported-by: Sven Klemm Author: Sven Klemm Backpatch-through: 13 --- doc/src/sgml/extend.sgml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/src/sgml/extend.sgml b/doc/src/sgml/extend.sgml index 4915c1985e0..065bc49c973 100644 --- a/doc/src/sgml/extend.sgml +++ b/doc/src/sgml/extend.sgml @@ -1344,8 +1344,8 @@ SELECT * FROM pg_extension_update_paths('extension_namesearch_path; do not trust the path provided by CREATE/ALTER EXTENSION to be secure. Best practice is to temporarily - set search_path to 'pg_catalog, - pg_temp' and insert references to the extension's + set search_path to pg_catalog, + pg_temp and insert references to the extension's installation schema explicitly where needed. (This practice might also be helpful for creating views.) Examples can be found in the contrib modules in -- 2.30.2