On 9/12/07, Tom Lane <tgl@sss.pgh.pa.us> wrote:
> It would break functions that actually want to use a caller-specified
> search path, and protect themselves by explicitly schema-qualifying
> every other reference than one to some caller-specified object. Which
> admittedly is notationally a pain in the neck, but it's possible to do.
> I do not think that we should foreclose potentially useful behavior
> *and* make a major break in backward compatibility in order to make
> a very small improvement in security.
In that case, is there anything wrong with Zdenek's suggestion to add
a warning on SECURITY DEFINER functions that do not set a search_path?
Something to the tune of
WARNING: "Your function is defined with SECURITY DEFINER but does not
specify a local search path. This is potentially a serious security
vulnerability."
HINT: "Use the SET clause in CREATE FUNCTION to set a safe search path
which is specific to your function."