diff options
| author | Noah Misch <noah@leadboat.com> | 2014-02-17 09:33:31 -0500 |
|---|---|---|
| committer | Noah Misch <noah@leadboat.com> | 2014-02-17 09:33:36 -0500 |
| commit | 338daafe01c31fd8962965a882f2d5b878ea3183 (patch) | |
| tree | d0e85c90e67ae7e990e76d7fa2b34a578dabe387 | |
| parent | 23b5a85e60c464ab8bc438a547a4b15260ca9453 (diff) | |
| download | postgresql-338daafe01c31fd8962965a882f2d5b878ea3183.tar.gz postgresql-338daafe01c31fd8962965a882f2d5b878ea3183.zip | |
Document security implications of check_function_bodies.
Back-patch to 8.4 (all supported versions).
| -rw-r--r-- | doc/src/sgml/config.sgml | 8 | ||||
| -rw-r--r-- | doc/src/sgml/plhandler.sgml | 12 |
2 files changed, 12 insertions, 8 deletions
diff --git a/doc/src/sgml/config.sgml b/doc/src/sgml/config.sgml index ca368412094..0950422614a 100644 --- a/doc/src/sgml/config.sgml +++ b/doc/src/sgml/config.sgml @@ -4657,9 +4657,11 @@ COPY postgres_log FROM '/full/path/to/logfile.csv' WITH csv; <para> This parameter is normally on. When set to <literal>off</>, it disables validation of the function body string during <xref - linkend="sql-createfunction">. Disabling validation is - occasionally useful to avoid problems such as forward references - when restoring function definitions from a dump. + linkend="sql-createfunction">. Disabling validation avoids side + effects of the validation process and avoids false positives due + to problems such as forward references. Set this parameter + to <literal>off</> before loading functions on behalf of other + users; <application>pg_dump</> does so automatically. </para> </listitem> </varlistentry> diff --git a/doc/src/sgml/plhandler.sgml b/doc/src/sgml/plhandler.sgml index 59302517769..e2943633532 100644 --- a/doc/src/sgml/plhandler.sgml +++ b/doc/src/sgml/plhandler.sgml @@ -195,11 +195,13 @@ CREATE LANGUAGE plsample <para> Validator functions should typically honor the <xref linkend="guc-check-function-bodies"> parameter: if it is turned off then - any expensive or context-sensitive checking should be skipped. - In particular, this parameter is turned off by <application>pg_dump</> - so that it can load procedural language functions without worrying - about possible dependencies of the function bodies on other database - objects. (Because of this requirement, the call handler should avoid + any expensive or context-sensitive checking should be skipped. If the + language provides for code execution at compilation time, the validator + must suppress checks that would induce such execution. In particular, + this parameter is turned off by <application>pg_dump</> so that it can + load procedural language functions without worrying about side effects or + dependencies of the function bodies on other database objects. + (Because of this requirement, the call handler should avoid assuming that the validator has fully checked the function. The point of having a validator is not to let the call handler omit checks, but to notify the user immediately if there are obvious errors in a |