Document security implications of check_function_bodies.

Back-patch to 8.4 (all supported versions).
2025-10-31 00:03:57 -04:00 · 2014-02-17 09:33:31 -05:00 · 2014-02-17 09:33:31 -05:00 · 540b4e5bc8
commit 540b4e5bc8
parent 537cbd35c8
2 changed files with 12 additions and 8 deletions
--- a/doc/src/sgml/config.sgml
+++ b/doc/src/sgml/config.sgml
@ -5153,9 +5153,11 @@ COPY postgres_log FROM '/full/path/to/logfile.csv' WITH csv;
       <para>
        This parameter is normally on. When set to <literal>off</>, it
        disables validation of the function body string during <xref
-        linkend="sql-createfunction">. Disabling validation is
-        occasionally useful to avoid problems such as forward references
-        when restoring function definitions from a dump.
+        linkend="sql-createfunction">.  Disabling validation avoids side
+        effects of the validation process and avoids false positives due
+        to problems such as forward references.  Set this parameter
+        to <literal>off</> before loading functions on behalf of other
+        users; <application>pg_dump</> does so automatically.
       </para>
      </listitem>
     </varlistentry>
--- a/doc/src/sgml/plhandler.sgml
+++ b/doc/src/sgml/plhandler.sgml
@ -194,11 +194,13 @@ CREATE LANGUAGE plsample
   <para>
    Validator functions should typically honor the <xref
    linkend="guc-check-function-bodies"> parameter: if it is turned off then
-    any expensive or context-sensitive checking should be skipped.
-    In particular, this parameter is turned off by <application>pg_dump</>
-    so that it can load procedural language functions without worrying
-    about possible dependencies of the function bodies on other database
-    objects.  (Because of this requirement, the call handler should avoid
+    any expensive or context-sensitive checking should be skipped.  If the
+    language provides for code execution at compilation time, the validator
+    must suppress checks that would induce such execution.  In particular,
+    this parameter is turned off by <application>pg_dump</> so that it can
+    load procedural language functions without worrying about side effects or
+    dependencies of the function bodies on other database objects.
+    (Because of this requirement, the call handler should avoid
    assuming that the validator has fully checked the function.  The point
    of having a validator is not to let the call handler omit checks, but
    to notify the user immediately if there are obvious errors in a