On Thu, Oct 21, 2010 at 12:47 AM, Tom Lane <tgl@sss.pgh.pa.us> wrote:
> Josh Kupershmidt <schmiddy@gmail.com> writes:
>> pg_temp is being implicitly included in the default search path when
>> looking for tables, but not for functions. Is there a reason for this
>> difference?
>
> Yes. They used to be the same, but awhile back we decided it was a
> security hole to look for functions or operators in the implicit temp
> schema. It makes it too easy for someone to substitute a trojan-horse
> function that will be picked up in preference to whatever's in the
> normal search path. See CVE-2007-2138.
>
> If you actually do want to define and call temporary functions, you
> can include "pg_temp" in the search path explicitly, or perhaps better,
> explicitly qualify the intentional calls with pg_temp.
Thanks, thought it might be something like that.
Josh