On 1/1/25 09:55, Jan Behrens wrote:
On Sat, 28 Dec 2024 00:40:09 +0100
Jan Behrens <jbe-mlist@xxxxxxxxxxxxx> wrote:
On Fri, 27 Dec 2024 13:26:28 -0700
"David G. Johnston" <david.g.johnston@xxxxxxxxx> wrote:
Or is it documented somewhere?
https://www.postgresql.org/docs/current/plpgsql-implementation.html#PLPGSQL-PLAN-CACHING
I can't find any notes regarding functions and schemas in that section.
Actually, I found another note in the documentation. But it doesn't
explain things correctly. In the documentation for PostgreSQL 17,
section 36.17.6.1. (Security Considerations for Extension Functions)
says:
"SQL-language and PL-language functions provided by extensions are at
risk of search-path-based attacks when they are executed, since parsing
of these functions occurs at execution time not creation time."
https://www.postgresql.org/docs/17/extend-extensions.html#EXTEND-EXTENSIONS-SECURITY
So here, the manual explicity states that functions are parsed at
execution, not creation time. As seen in my original example in this
thread, this isn't (fully) true. Moreover, it isn't true for all
SQL-language functions, as can be demonstrated with the following code:
============
CREATE SCHEMA s1;
CREATE SCHEMA s2;
CREATE VIEW s1.v AS SELECT 'creation' AS col;
CREATE VIEW s2.v AS SELECT 'runtime' AS col;
SET search_path TO 'public', 's1';
CREATE FUNCTION use_sql_atomic() RETURNS TEXT LANGUAGE sql BEGIN ATOMIC
SELECT 'use_sql_atomic = ' || col FROM v;
END;
CREATE FUNCTION use_sql_string() RETURNS TEXT LANGUAGE sql AS $$
SELECT 'use_sql_string = ' || col FROM v;
$$;
CREATE FUNCTION use_plpgsql() RETURNS TEXT LANGUAGE plpgsql AS $$ BEGIN
RETURN (SELECT 'use_plpgsql = ' || col FROM v);
END; $$;
SET search_path TO 'public', 's2';
SELECT use_sql_atomic() AS "output" UNION ALL
SELECT use_sql_string() AS "output" UNION ALL
SELECT use_plpgsql() AS "output";
============
This generates the following output:
output
---------------------------
use_sql_atomic = creation
use_sql_string = runtime
use_plpgsql = runtime
(3 rows)
Overall, PostgreSQL doesn't behave consistent, and to me it seems that
the documentation isn't describing its behavior correctly either.
https://www.postgresql.org/docs/current/sql-createfunction.html
"sql_body
The body of a LANGUAGE SQL function. This can either be a single
statement
RETURN expression
or a block
BEGIN ATOMIC
statement;
statement;
...
statement;
END
This is similar to writing the text of the function body as a
string constant (see definition above), but there are some differences:
This form only works for LANGUAGE SQL, the string constant form works
for all languages. This form is parsed at function definition time, the
string constant form is parsed at execution time; therefore this form
cannot support polymorphic argument types and other constructs that are
not resolvable at function definition time. This form tracks
dependencies between the function and objects used in the function body,
so DROP ... CASCADE will work correctly, whereas the form using string
literals may leave dangling functions. Finally, this form is more
compatible with the SQL standard and other SQL implementations.
"
I understand if fixing this is too much work (even though I would
really like to see this fixed). But given that the current behavior is
highly surprising and inconsistent - and keeping in mind that this is a
subject that may affect security - I think the documentation should
reflect the current behavior at least. I thus see this as a
documentation issue.
Kind regards,
Jan Behrens
--
Adrian Klaver
adrian.klaver@xxxxxxxxxxx
