Re: pg_temp implicit search path: functions vs. tables

Josh Kupershmidt <schmiddy@gmail.com> writes:
> pg_temp is being implicitly included in the default search path when
> looking for tables, but not for functions. Is there a reason for this
> difference?

Yes.  They used to be the same, but awhile back we decided it was a
security hole to look for functions or operators in the implicit temp
schema.  It makes it too easy for someone to substitute a trojan-horse
function that will be picked up in preference to whatever's in the
normal search path.  See CVE-2007-2138.

If you actually do want to define and call temporary functions, you
can include "pg_temp" in the search path explicitly, or perhaps better,
explicitly qualify the intentional calls with pg_temp.

            regards, tom lane