On Tue, Aug 16, 2022 at 03:34:22PM -0400, Tom Lane wrote: > Bruce Momjian <br...@momjian.us> writes: > > I have written the attached patch to mention this issue about sql_body > > functions. > > Spell-check, please. Seems OK otherwise.
Just when I think I didn't add enough text to warrant a spell check. :-( Updated patch attached. -- Bruce Momjian <br...@momjian.us> https://momjian.us EDB https://enterprisedb.com Indecision is a decision. Inaction is an action. Mark Batterson
diff --git a/doc/src/sgml/ref/create_function.sgml b/doc/src/sgml/ref/create_function.sgml index 7e6d52c7dc..35869bf6ba 100644 --- a/doc/src/sgml/ref/create_function.sgml +++ b/doc/src/sgml/ref/create_function.sgml @@ -779,7 +779,10 @@ SELECT * FROM dup(42); <para> Because a <literal>SECURITY DEFINER</literal> function is executed with the privileges of the user that owns it, care is needed to - ensure that the function cannot be misused. For security, + ensure that the function cannot be misused. This is particularly + important for non-<replaceable>sql_body</replaceable> functions because + their function bodies are evaluated at run-time, not creation time. + For security, <xref linkend="guc-search-path"/> should be set to exclude any schemas writable by untrusted users. This prevents malicious users from creating objects (e.g., tables, functions, and