diff options
Diffstat (limited to 'doc/src/sgml/ref/create_function.sgml')
| -rw-r--r-- | doc/src/sgml/ref/create_function.sgml | 50 |
1 files changed, 49 insertions, 1 deletions
diff --git a/doc/src/sgml/ref/create_function.sgml b/doc/src/sgml/ref/create_function.sgml index 0991e96a54a..b62952f8c3f 100644 --- a/doc/src/sgml/ref/create_function.sgml +++ b/doc/src/sgml/ref/create_function.sgml @@ -1,5 +1,5 @@ <!-- -$PostgreSQL: pgsql/doc/src/sgml/ref/create_function.sgml,v 1.64 2005/01/04 00:39:53 tgl Exp $ +$PostgreSQL: pgsql/doc/src/sgml/ref/create_function.sgml,v 1.64.4.1 2007/04/20 02:38:29 tgl Exp $ --> <refentry id="SQL-CREATEFUNCTION"> @@ -418,6 +418,54 @@ $$ LANGUAGE plpgsql; </para> </refsect1> + <refsect1 id="sql-createfunction-security"> + <title>Writing <literal>SECURITY DEFINER</literal> Functions Safely</title> + + <para> + Because a <literal>SECURITY DEFINER</literal> function is executed + with the privileges of the user that created it, care is needed to + ensure that the function cannot be misused. For security, + <xref linkend="guc-search-path"> should be set to exclude any schemas + writable by untrusted users. This prevents + malicious users from creating objects that mask objects used by the + function. Particularly important is in this regard is the + temporary-table schema, which is searched first by default, and + is normally writable by anyone. A secure arrangement can be had + by forcing the temporary schema to be searched last. To do this, + write <literal>pg_temp</> as the last entry in <varname>search_path</>. + This function illustrates safe usage: + </para> + +<programlisting> +CREATE FUNCTION check_password(uname TEXT, pass TEXT) +RETURNS BOOLEAN AS $$ +DECLARE passed BOOLEAN; + old_path TEXT; +BEGIN + -- Save old search_path; notice we must qualify current_setting + -- to ensure we invoke the right function + old_path := pg_catalog.current_setting('search_path'); + + -- Set a secure search_path: trusted schemas, then 'pg_temp'. + -- We set is_local = true so that the old value will be restored + -- in event of an error before we reach the function end. + PERFORM pg_catalog.set_config('search_path', 'admin, pg_temp', true); + + -- Do whatever secure work we came for. + SELECT (pwd = $2) INTO passed + FROM pwds + WHERE username = $1; + + -- Restore caller's search_path + PERFORM pg_catalog.set_config('search_path', old_path, true); + + RETURN passed; +END; +$$ LANGUAGE plpgsql SECURITY DEFINER; +</programlisting> + + </refsect1> + <refsect1 id="sql-createfunction-compat"> <title>Compatibility</title> |