Re: Loose ends after CVE-2020-14350 (extension installation hazards)

On 08/14/20 14:50, Tom Lane wrote:
>     SAVEPOINT s1;
>     SET LOCAL search_path = pg_catalog, pg_temp;
>     ... protected code here ...
>     RELEASE SAVEPOINT s1;
> 
> but this does not work because SET LOCAL persists to the end of the
> outer transaction.  Maybe we could invent a variant that only lasts
> for the current subtransaction.

This reminds me of the way the SQL standard overloads WITH to supply
lexically-scoped settings of things, as well as CTEs, mentioned a while
back. [1]

Would this provide additional incentive to implement that syntax,
generalized to support arbitrary GUCs and not just the handful of
specific settings the standard uses it for?

Regards,
-Chap



[1] https://www.postgresql.org/message-id/5AAEAE0F.20006%40anastigmatix.net