On Tue, Apr 13, 2021 at 06:26:34PM -0400, Tom Lane wrote:
> Attached are some draft patches to convert almost all of the
> contrib modules' SQL functions to use SQL-standard function bodies.
> The point of this is to remove the residual search_path security
> hazards that we couldn't fix in commits 7eeb1d986 et al. Since
> a SQL-style function body is fully parsed at creation time,
> its object references are not subject to capture by the run-time
> search path.
Are there any inexact matches in those function/operator calls? Will that
matter more or less than it does today?
> However I think we may still need an assumption that earthdistance
> and cube are in the same schema --- any comments on that?
That part doesn't change, indeed.
> I'd like to propose squeezing these changes into v14, even though
> we're past feature freeze. Reason one is that this is less a
> new feature than a security fix; reason two is that this provides
> some non-artificial test coverage for the SQL-function-body feature.
Dogfooding like this is good. What about the SQL-language functions that
initdb creates?
