Re: Advisory on possibly insecure security definer functions

On 2/13/07, Peter Eisentraut <peter_e@gmx.net> wrote:
> The proper fix for this problem is to insert explicit SET search_path
> commands into each affected function to produce a known safe schema
> search path.  Note that using the default search path, which includes a
> reference to the "$user" schema, is not safe when unqualified
> references are intended to be found in the "public" schema and "$user"
> schemas exist or can be created by other users.  It is also not
> recommended to rely on rigorously schema-qualifying all function and
> operator invocations in function source texts, as such measures are
> likely to induce mistakes and will furthermore make the source code
> harder to read and maintain.

Could you clarify what functions are going to get an explicit 'set
search_path'?  Will this change the behavior of any userland
functions?

merlin