From 40d1a1016d75daee39219fcda9eec2e38d1028e8 Mon Sep 17 00:00:00 2001 From: Noah Misch Date: Thu, 1 May 2025 16:51:59 -0700 Subject: Doc: stop implying recommendation of insecure search_path value. SQL "SET search_path = 'pg_catalog, pg_temp'" is silently equivalent to "SET search_path = pg_temp, pg_catalog, "pg_catalog, pg_temp"" instead of the intended "SET search_path = pg_catalog, pg_temp". (The intent was a two-element search path. With the single quotes, it instead specifies one element with a comma and a space in the middle of the element.) In addition to the SET statement, this affects SET clauses of CREATE FUNCTION, ALTER ROLE, and ALTER DATABASE. It does not affect the set_config() SQL function. Though the documentation did not show an insecure command, remove single quotes that could entice a reader to write an insecure command. Back-patch to v13 (all supported versions). Reported-by: Sven Klemm Author: Sven Klemm Backpatch-through: 13 --- doc/src/sgml/extend.sgml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'doc') diff --git a/doc/src/sgml/extend.sgml b/doc/src/sgml/extend.sgml index 218940ee5ce..4b7094f2739 100644 --- a/doc/src/sgml/extend.sgml +++ b/doc/src/sgml/extend.sgml @@ -1339,8 +1339,8 @@ SELECT * FROM pg_extension_update_paths('extension_namesearch_path; do not trust the path provided by CREATE/ALTER EXTENSION to be secure. Best practice is to temporarily - set search_path to 'pg_catalog, - pg_temp' and insert references to the extension's + set search_path to pg_catalog, + pg_temp and insert references to the extension's installation schema explicitly where needed. (This practice might also be helpful for creating views.) Examples can be found in the contrib modules in -- cgit v1.2.3