On Mon, 2019-07-08 at 23:54 -0700, Igal @ Lucee.org wrote:
> > I have a custom search_path:
> >
> > # show search_path;
> > search_path
> > ----------------------------------
> > "staging, transient, pg_catalog"
> > (1 row)
> >
> > I ran `pg_dump --schema-only` and the only reference in the output to
> > search_path is:
> >
> > SELECT pg_catalog.set_config('search_path', '', false);
> >
> > Then one of my functions which does not reference the full name of a
> > table with its schema fails with "relation [rel-name] does not exist".
> >
> > Is that a bug? I have seen some old posts about this issue but am not
> > sure if there is a ticket or why it still is an issue.
> >
> Looks like this might be by design. I will follow the links at
>
https://www.postgresql.org/message-id/flat/MWHPR14MB160079A6D9DC64A2F60E9004C0D00%40MWHPR14MB1600.namprd14.prod.outlook.com
> and ask more questions if I have them.
>
> I might need to add the schema name to the table in my function.
Right.
Allowing object lookup along the search_path during pg_restore opens
doors to abuse, because it can make a superuser inadvertedly execute
code crafted by an attacker.
Yours,
Laurenz Albe
--
Cybertec | https://www.cybertec-postgresql.com
