Use @extschema:name@ notation in contrib transform modules.

Harden hstore_plperl, hstore_plpython, and ltree_plpython against search-path-based attacks by using @extschema:name@ notation to refer to the underlying hstore or ltree data type. This allows removal of the previous documentation warning suggesting that they must be installed in the same schema as the underlying data type. In passing, also improve a para in extend.sgml to suggest using @extschema:name@ for such purposes. Discussion: https://postgr.es/m/[email protected]
author: Tom Lane 2025-01-09 20:16:56 +0000
committer: Tom Lane 2025-01-09 20:16:56 +0000
commit: bebe9040388bb2292585eab712fe4d29a71843fb (patch)
tree: bc665989a9135290e57b623df27ebd35bef8bd64 /doc/src/sgml/hstore.sgml
parent: ebd8fc7e47fdad6adb68aad341d95c541d7325c3 (diff)
1 files changed, 0 insertions, 9 deletions
diff --git a/doc/src/sgml/hstore.sgml b/doc/src/sgml/hstore.sgml
index 7d93e49e913..44325e0bba0 100644
--- a/doc/src/sgml/hstore.sgml
+++ b/doc/src/sgml/hstore.sgml
@@ -946,15 +946,6 @@ ALTER TABLE tablename ALTER hstorecol TYPE hstore USING hstorecol || '';
    extension for PL/Python is called <literal>hstore_plpython3u</literal>.
    If you use it, <type>hstore</type> values are mapped to Python dictionaries.
   </para>
-
-  <caution>
-   <para>
-    It is strongly recommended that the transform extensions be installed in
-    the same schema as <filename>hstore</filename>.  Otherwise there are
-    installation-time security hazards if a transform extension's schema
-    contains objects defined by a hostile user.
-   </para>
-  </caution>
  </sect2>
 
  <sect2 id="hstore-authors">
author	Tom Lane	2025-01-09 20:16:56 +0000
committer	Tom Lane	2025-01-09 20:16:56 +0000
commit	bebe9040388bb2292585eab712fe4d29a71843fb (patch)
tree	bc665989a9135290e57b623df27ebd35bef8bd64 /doc/src/sgml/hstore.sgml
parent	ebd8fc7e47fdad6adb68aad341d95c541d7325c3 (diff)