On Sat, 28 Dec 2024 00:40:09 +0100 Jan Behrens <jbe-mlist@xxxxxxxxxxxxx> wrote: > On Fri, 27 Dec 2024 13:26:28 -0700 > "David G. Johnston" <david.g.johnston@xxxxxxxxx> wrote: > > > > Or is it documented somewhere? > > > > https://www.postgresql.org/docs/current/plpgsql-implementation.html#PLPGSQL-PLAN-CACHING > > I can't find any notes regarding functions and schemas in that section. Actually, I found another note in the documentation. But it doesn't explain things correctly. In the documentation for PostgreSQL 17, section 36.17.6.1. (Security Considerations for Extension Functions) says: "SQL-language and PL-language functions provided by extensions are at risk of search-path-based attacks when they are executed, since parsing of these functions occurs at execution time not creation time." https://www.postgresql.org/docs/17/extend-extensions.html#EXTEND-EXTENSIONS-SECURITY So here, the manual explicity states that functions are parsed at execution, not creation time. As seen in my original example in this thread, this isn't (fully) true. Moreover, it isn't true for all SQL-language functions, as can be demonstrated with the following code: ============ CREATE SCHEMA s1; CREATE SCHEMA s2; CREATE VIEW s1.v AS SELECT 'creation' AS col; CREATE VIEW s2.v AS SELECT 'runtime' AS col; SET search_path TO 'public', 's1'; CREATE FUNCTION use_sql_atomic() RETURNS TEXT LANGUAGE sql BEGIN ATOMIC SELECT 'use_sql_atomic = ' || col FROM v; END; CREATE FUNCTION use_sql_string() RETURNS TEXT LANGUAGE sql AS $$ SELECT 'use_sql_string = ' || col FROM v; $$; CREATE FUNCTION use_plpgsql() RETURNS TEXT LANGUAGE plpgsql AS $$ BEGIN RETURN (SELECT 'use_plpgsql = ' || col FROM v); END; $$; SET search_path TO 'public', 's2'; SELECT use_sql_atomic() AS "output" UNION ALL SELECT use_sql_string() AS "output" UNION ALL SELECT use_plpgsql() AS "output"; ============ This generates the following output: output --------------------------- use_sql_atomic = creation use_sql_string = runtime use_plpgsql = runtime (3 rows) Overall, PostgreSQL doesn't behave consistent, and to me it seems that the documentation isn't describing its behavior correctly either. I understand if fixing this is too much work (even though I would really like to see this fixed). But given that the current behavior is highly surprising and inconsistent - and keeping in mind that this is a subject that may affect security - I think the documentation should reflect the current behavior at least. I thus see this as a documentation issue. Kind regards, Jan Behrens
