Re: Converting contrib SQL functions to new style
Robert Haas <robertmhaas@gmail.com>
On Wed, Apr 14, 2021 at 8:58 AM Noah Misch <noah@leadboat.com> wrote: > Once CREATE EXTENSION is over, things are a great deal safer under this > proposal, as you say. I suspect it makes CREATE EXTENSION more hazardous. > Today, typical SQL commands in extension creation scripts don't activate > inexact argument type matching. You were careful to make each script clear > the search_path around commands deviating from that (commit 7eeb1d9). I think > "CREATE FUNCTION plus1dot1(int) RETURNS numeric LANGUAGE SQL RETURN $1 + 1.1;" > in a trusted extension script would constitute a security vulnerability, since > it can lock in the wrong operator. I don't understand how that can happen, unless we've failed to secure the search_path. And, if we've failed to secure the search_path, I think we are in a lot of trouble no matter what else we do. -- Robert Haas EDB: http://www.enterprisedb.com
Commits
-
Use @extschema:name@ notation in contrib transform modules.
- bebe9040388b 18.0 landed
-
pg_freespacemap: Fix declaration of pg_freespace(regclass)
- e0c3d5122e6a 18.0 landed
-
contrib/pageinspect: Use SQL-standard function bodies.
- 68ff25eef125 18.0 landed
-
contrib/xml2: Use SQL-standard function bodies.
- 667368fd26de 18.0 landed
-
contrib/citext: Use SQL-standard function bodies.
- 97a5a16849eb 18.0 landed
-
contrib/earthdistance: Use SQL-standard function bodies.
- 969bbd0fafc0 18.0 landed
- 3652de36e432 17.3 landed
- 31daa10facec 16.7 landed
-
contrib/lo: Use SQL-standard function bodies
- 13e3796c906b 18.0 landed
-
xml2: Add tests for functions xpath_nodeset() and xpath_list()
- 93f9b4a93fef 18.0 landed
-
contrib/lo: Add test for function lo_oid()
- 3ef038fc4f76 18.0 landed
-
pg_freespacemap: Use SQL-standard function bodies
- 3f323eba89fb 18.0 landed
-
Add @extschema:name@ and no_relocate options to extensions.
- 72a5b1fc8804 16.0 cited
-
Make contrib modules' installation scripts more secure.
- 7eeb1d9861b0 14.0 cited