Doc: stop implying recommendation of insecure search_path value.

SQL "SET search_path = 'pg_catalog, pg_temp'" is silently equivalent to
"SET search_path = pg_temp, pg_catalog, "pg_catalog, pg_temp"" instead
of the intended "SET search_path = pg_catalog, pg_temp".  (The intent
was a two-element search path.  With the single quotes, it instead
specifies one element with a comma and a space in the middle of the
element.)  In addition to the SET statement, this affects SET clauses of
CREATE FUNCTION, ALTER ROLE, and ALTER DATABASE.  It does not affect the
set_config() SQL function.

Though the documentation did not show an insecure command, remove single
quotes that could entice a reader to write an insecure command.
Back-patch to v13 (all supported versions).

Reported-by: Sven Klemm 
Author: Sven Klemm 
Backpatch-through: 13

diff --git a/doc/src/sgml/extend.sgml b/doc/src/sgml/extend.sgml
index 4915c1985e0b73957d31596ed5f55ab18d4409ef..065bc49c973c824b052dcc162617432bf061b950 100644 (file)
--- a/doc/src/sgml/extend.sgml
+++ b/doc/src/sgml/extend.sgml
@@ -1344,8 +1344,8 @@ SELECT * FROM pg_extension_update_paths('extension_name
       secure search_path; do not
       trust the path provided by CREATE/ALTER EXTENSION
       to be secure.  Best practice is to temporarily
-      set search_path to 'pg_catalog,
-      pg_temp' and insert references to the extension's
+      set search_path to pg_catalog,
+      pg_temp and insert references to the extension's
       installation schema explicitly where needed.  (This practice might
       also be helpful for creating views.)  Examples can be found in
       the contrib modules in