"Tom Lane" <tgl@sss.pgh.pa.us> writes:
> Gregory Stark <stark@enterprisedb.com> writes:
>> I think security definer functions should automatically inherit their
>> search_path. The whole "secure by default" thing.
>
> This assumes that the search path at creation time has something to do
> with the path you'd like to use at execution, which is unlikely to be
> the case in existing pg_dump output, to name one example. I don't
> really want to get into doing the above.
pg_dump will have to do a ALTER FUNCTION SET command anyways, no? So the
default search_path that gets saved doesn't really matter. In general if it's
not the search path you want at run-time you just have to change it, but you
should always have *something* set or else it's a wide open security hole.
I'm not clear why the search path at creation time is such a bad choice
anyways, it is security "definer", what's the difference between taking the
userid from the defining environment and taking the search path from the
defining environment?
-- Gregory Stark EnterpriseDB http://www.enterprisedb.com
