Document security implications of check_function_bodies.

Back-patch to 8.4 (all supported versions).
2025-10-24 01:29:19 +03:00 · 2014-02-17 09:33:31 -05:00
parent 537cbd35c8
commit 540b4e5bc8
2 changed files with 12 additions and 8 deletions
--- a/doc/src/sgml/plhandler.sgml
+++ b/doc/src/sgml/plhandler.sgml
@@ -194,11 +194,13 @@ CREATE LANGUAGE plsample
   <para>
    Validator functions should typically honor the <xref
    linkend="guc-check-function-bodies"> parameter: if it is turned off then
-    any expensive or context-sensitive checking should be skipped.
-    In particular, this parameter is turned off by <application>pg_dump</>
-    so that it can load procedural language functions without worrying
-    about possible dependencies of the function bodies on other database
-    objects.  (Because of this requirement, the call handler should avoid
+    any expensive or context-sensitive checking should be skipped.  If the
+    language provides for code execution at compilation time, the validator
+    must suppress checks that would induce such execution.  In particular,
+    this parameter is turned off by <application>pg_dump</> so that it can
+    load procedural language functions without worrying about side effects or
+    dependencies of the function bodies on other database objects.
+    (Because of this requirement, the call handler should avoid
    assuming that the validator has fully checked the function.  The point
    of having a validator is not to let the call handler omit checks, but
    to notify the user immediately if there are obvious errors in a