diff options
| author | Noah Misch <noah@leadboat.com> | 2014-02-17 09:33:31 -0500 |
|---|---|---|
| committer | Noah Misch <noah@leadboat.com> | 2014-02-17 09:33:31 -0500 |
| commit | 540b4e5bc85f7e44842493a810b04a84881db20f (patch) | |
| tree | 626a3a613fe9ac673a3d07d68ed8c65c434b5317 | |
| parent | 537cbd35c893e67a63c59bc636c3e888bd228bc7 (diff) | |
| download | postgresql-540b4e5bc85f7e44842493a810b04a84881db20f.tar.gz postgresql-540b4e5bc85f7e44842493a810b04a84881db20f.zip | |
Document security implications of check_function_bodies.
Back-patch to 8.4 (all supported versions).
| -rw-r--r-- | doc/src/sgml/config.sgml | 8 | ||||
| -rw-r--r-- | doc/src/sgml/plhandler.sgml | 12 |
2 files changed, 12 insertions, 8 deletions
diff --git a/doc/src/sgml/config.sgml b/doc/src/sgml/config.sgml index e12778b263c..4dc1277f252 100644 --- a/doc/src/sgml/config.sgml +++ b/doc/src/sgml/config.sgml @@ -5153,9 +5153,11 @@ COPY postgres_log FROM '/full/path/to/logfile.csv' WITH csv; <para> This parameter is normally on. When set to <literal>off</>, it disables validation of the function body string during <xref - linkend="sql-createfunction">. Disabling validation is - occasionally useful to avoid problems such as forward references - when restoring function definitions from a dump. + linkend="sql-createfunction">. Disabling validation avoids side + effects of the validation process and avoids false positives due + to problems such as forward references. Set this parameter + to <literal>off</> before loading functions on behalf of other + users; <application>pg_dump</> does so automatically. </para> </listitem> </varlistentry> diff --git a/doc/src/sgml/plhandler.sgml b/doc/src/sgml/plhandler.sgml index aa4bba3bee1..0fc5d7b411b 100644 --- a/doc/src/sgml/plhandler.sgml +++ b/doc/src/sgml/plhandler.sgml @@ -194,11 +194,13 @@ CREATE LANGUAGE plsample <para> Validator functions should typically honor the <xref linkend="guc-check-function-bodies"> parameter: if it is turned off then - any expensive or context-sensitive checking should be skipped. - In particular, this parameter is turned off by <application>pg_dump</> - so that it can load procedural language functions without worrying - about possible dependencies of the function bodies on other database - objects. (Because of this requirement, the call handler should avoid + any expensive or context-sensitive checking should be skipped. If the + language provides for code execution at compilation time, the validator + must suppress checks that would induce such execution. In particular, + this parameter is turned off by <application>pg_dump</> so that it can + load procedural language functions without worrying about side effects or + dependencies of the function bodies on other database objects. + (Because of this requirement, the call handler should avoid assuming that the validator has fully checked the function. The point of having a validator is not to let the call handler omit checks, but to notify the user immediately if there are obvious errors in a |