1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
|
--- debian/postgresql/usr/share/man/man7/create_function.7
+++ debian/postgresql/usr/share/man/man7/create_function.7
@@ -230,6 +230,49 @@
RETURNS NULL ON NULL INPUT;
.sp
.fi
+.SH "WRITING SECURITY DEFINER FUNCTIONS SAFELY"
+.PP
+Because a SECURITY DEFINER function is executed
+with the privileges of the user that created it, care is needed to
+ensure that the function cannot be misused. For security,
+search_path should be set to exclude any schemas
+writable by untrusted users. This prevents
+malicious users from creating objects that mask objects used by the
+function. Particularly important is in this regard is the
+temporary-table schema, which is searched first by default, and
+is normally writable by anyone. A secure arrangement can be had
+by forcing the temporary schema to be searched last. To do this,
+write pg_temp as the last entry in search_path.
+This function illustrates safe usage:
+.sp
+.nf
+CREATE FUNCTION check_password(uname TEXT, pass TEXT)
+RETURNS BOOLEAN AS $$
+DECLARE passed BOOLEAN;
+ old_path TEXT;
+BEGIN
+ -- Save old search_path; notice we must qualify current_setting
+ -- to ensure we invoke the right function
+ old_path := pg_catalog.current_setting('search_path');
+
+ -- Set a secure search_path: trusted schemas, then 'pg_temp'.
+ -- We set is_local = true so that the old value will be restored
+ -- in event of an error before we reach the function end.
+ PERFORM pg_catalog.set_config('search_path', 'admin, pg_temp', true);
+
+ -- Do whatever secure work we came for.
+ SELECT (pwd = $2) INTO passed
+ FROM pwds
+ WHERE username = $1;
+
+ -- Restore caller's search_path
+ PERFORM pg_catalog.set_config('search_path', old_path, true);
+
+ RETURN passed;
+END;
+$$ LANGUAGE plpgsql SECURITY DEFINER;
+.sp
+.fi
.SH "COMPATIBILITY"
.PP
A \fBCREATE FUNCTION\fR command is defined in SQL99.
--- debian/postgresql-doc/usr/share/doc/postgresql/html/sql-createfunction.html.orig 2007-04-20 11:15:37.000000000 +0200
+++ debian/postgresql-doc/usr/share/doc/postgresql/html/sql-createfunction.html 2007-04-20 11:19:00.000000000 +0200
@@ -727,6 +727,70 @@
><DIV
CLASS="REFSECT1"
><A
+NAME="SQL-CREATEFUNCTION-SECURITY"
+></A
+><H2
+>Writing <TT
+CLASS="LITERAL"
+>SECURITY DEFINER</TT
+> Functions Safely</H2
+><P
+> Because a <TT
+CLASS="LITERAL"
+>SECURITY DEFINER</TT
+> function is executed
+ with the privileges of the user that created it, care is needed to
+ ensure that the function cannot be misused. For security,
+ <A
+HREF="runtime-config-client.html#GUC-SEARCH-PATH"
+>search_path</A
+> should be set to exclude any schemas
+ writable by untrusted users. This prevents
+ malicious users from creating objects that mask objects used by the
+ function. Particularly important is in this regard is the
+ temporary-table schema, which is searched first by default, and
+ is normally writable by anyone. A secure arrangement can be had
+ by forcing the temporary schema to be searched last. To do this,
+ write <TT
+CLASS="LITERAL"
+>pg_temp</TT
+> as the last entry in <TT
+CLASS="VARNAME"
+>search_path</TT
+>.
+ This function illustrates safe usage:
+ </P
+><PRE
+CLASS="PROGRAMLISTING"
+>CREATE FUNCTION check_password(uname TEXT, pass TEXT)
+RETURNS BOOLEAN AS $$
+DECLARE passed BOOLEAN;
+ old_path TEXT;
+BEGIN
+ -- Save old search_path; notice we must qualify current_setting
+ -- to ensure we invoke the right function
+ old_path := pg_catalog.current_setting('search_path');
+
+ -- Set a secure search_path: trusted schemas, then 'pg_temp'.
+ -- We set is_local = true so that the old value will be restored
+ -- in event of an error before we reach the function end.
+ PERFORM pg_catalog.set_config('search_path', 'admin, pg_temp', true);
+
+ -- Do whatever secure work we came for.
+ SELECT (pwd = $2) INTO passed
+ FROM pwds
+ WHERE username = $1;
+
+ -- Restore caller's search_path
+ PERFORM pg_catalog.set_config('search_path', old_path, true);
+
+ RETURN passed;
+END;
+$$ LANGUAGE plpgsql SECURITY DEFINER;</PRE
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
NAME="SQL-CREATEFUNCTION-COMPAT"
></A
><H2
@@ -855,4 +919,4 @@
></DIV
></BODY
></HTML
->
\ Kein Zeilenumbruch am Dateiende.
+>
--- ./debian/postgresql-doc/usr/share/doc/postgresql-doc/html/runtime-config.html.orig 2007-04-20 11:20:43.000000000 +0200
+++ ./debian/postgresql-doc/usr/share/doc/postgresql-doc/html/runtime-config.html 2007-04-20 11:27:26.000000000 +0200
@@ -2843,7 +2843,9 @@
>before</I
></SPAN
> searching any of the path items.
- It should also be noted that the temporary-table schema,
+ </P
+><P
+> Likewise, the current session's temporary-table schema,
<TT
CLASS="LITERAL"
>pg_temp_<TT
@@ -2852,8 +2854,19 @@
>nnn</I
></TT
></TT
->, is implicitly searched before any of
- these.
+>, is always searched if it
+ exists. It can be explicitly listed in the path by using the
+ alias <TT
+CLASS="LITERAL"
+>pg_temp</TT
+>. If it is not listed in the path then
+ it is searched first (before even <TT
+CLASS="LITERAL"
+>pg_catalog</TT
+>). However,
+ the temporary schema is only searched for relation (table, view,
+ sequence, etc) and data type names. It will never be searched for
+ function or operator names.
</P
><P
> When objects are created without specifying a particular target
@@ -4379,4 +4392,4 @@
></DIV
></BODY
></HTML
->
\ Kein Zeilenumbruch am Dateiende.
+>
|
