Document security implications of check_function_bodies.

Back-patch to 8.4 (all supported versions).

diff --git a/doc/src/sgml/config.sgml b/doc/src/sgml/config.sgml
index 54716dd357b86b7efcf21ec7ef298483fb4cf305..c7d708bd16d8ed5818464d7aee2c339ed30b3057 100644 (file)
--- a/doc/src/sgml/config.sgml
+++ b/doc/src/sgml/config.sgml
@@ -4991,9 +4991,11 @@ COPY postgres_log FROM '/full/path/to/logfile.csv' WITH csv;
        
         This parameter is normally on. When set to off, it
         disables validation of the function body string during 
-        linkend="sql-createfunction">. Disabling validation is
-        occasionally useful to avoid problems such as forward references
-        when restoring function definitions from a dump.
+        linkend="sql-createfunction">.  Disabling validation avoids side
+        effects of the validation process and avoids false positives due
+        to problems such as forward references.  Set this parameter
+        to off before loading functions on behalf of other
+        users; pg_dump does so automatically.
        
       
      


diff --git a/doc/src/sgml/plhandler.sgml b/doc/src/sgml/plhandler.sgml

index aa4bba3bee1ab0e07d95a684684a2e37b4eab01c..0fc5d7b411b6c7bb97cac6cc334c5c2e50dd9a30 100644 (file)

--- a/doc/src/sgml/plhandler.sgml
+++ b/doc/src/sgml/plhandler.sgml
@@ -194,11 +194,13 @@ CREATE LANGUAGE plsample
    
     Validator functions should typically honor the 
     linkend="guc-check-function-bodies"> parameter: if it is turned off then
-    any expensive or context-sensitive checking should be skipped.
-    In particular, this parameter is turned off by pg_dump
-    so that it can load procedural language functions without worrying
-    about possible dependencies of the function bodies on other database
-    objects.  (Because of this requirement, the call handler should avoid
+    any expensive or context-sensitive checking should be skipped.  If the
+    language provides for code execution at compilation time, the validator
+    must suppress checks that would induce such execution.  In particular,
+    this parameter is turned off by pg_dump so that it can
+    load procedural language functions without worrying about side effects or
+    dependencies of the function bodies on other database objects.
+    (Because of this requirement, the call handler should avoid
     assuming that the validator has fully checked the function.  The point
     of having a validator is not to let the call handler omit checks, but
     to notify the user immediately if there are obvious errors in a

diff --git a/doc/src/sgml/plhandler.sgml b/doc/src/sgml/plhandler.sgml
index aa4bba3bee1ab0e07d95a684684a2e37b4eab01c..0fc5d7b411b6c7bb97cac6cc334c5c2e50dd9a30 100644 (file)
--- a/doc/src/sgml/plhandler.sgml
+++ b/doc/src/sgml/plhandler.sgml
@@ -194,11 +194,13 @@ CREATE LANGUAGE plsample
    
     Validator functions should typically honor the 
     linkend="guc-check-function-bodies"> parameter: if it is turned off then
-    any expensive or context-sensitive checking should be skipped.
-    In particular, this parameter is turned off by pg_dump
-    so that it can load procedural language functions without worrying
-    about possible dependencies of the function bodies on other database
-    objects.  (Because of this requirement, the call handler should avoid
+    any expensive or context-sensitive checking should be skipped.  If the
+    language provides for code execution at compilation time, the validator
+    must suppress checks that would induce such execution.  In particular,
+    this parameter is turned off by pg_dump so that it can
+    load procedural language functions without worrying about side effects or
+    dependencies of the function bodies on other database objects.
+    (Because of this requirement, the call handler should avoid
     assuming that the validator has fully checked the function.  The point
     of having a validator is not to let the call handler omit checks, but
     to notify the user immediately if there are obvious errors in a