In extensions, don't replace objects not belonging to the extension.

Previously, if an extension script did CREATE OR REPLACE and there was
an existing object not belonging to the extension, it would overwrite
the object and adopt it into the extension.  This is problematic, first
because the overwrite is probably unintentional, and second because we
didn't change the object's ownership.  Thus a hostile user could create
an object in advance of an expected CREATE EXTENSION command, and would
then have ownership rights on an extension object, which could be
modified for trojan-horse-type attacks.

Hence, forbid CREATE OR REPLACE of an existing object unless it already
belongs to the extension.  (Note that we've always forbidden replacing
an object that belongs to some other extension; only the behavior for
previously-free-standing objects changes here.)

For the same reason, also fail CREATE IF NOT EXISTS when there is
an existing object that doesn't belong to the extension.

Our thanks to Sven Klemm for reporting this problem.

Security: CVE-2022-2625

doc/src/sgml/extend.sgml

@@ -1319,17 +1319,6 @@ SELECT * FROM pg_extension_update_paths('<replaceable>extension_name</replaceabl
       trusted if it depends on another one, unless that other one is always
       installed in <literal>pg_catalog</literal>.
      </para>
-
-     <para>
-      Do <emphasis>not</emphasis> use <command>CREATE OR REPLACE
-      FUNCTION</command>, except in an update script that must change the
-      definition of a function that is known to be an extension member
-      already.  (Likewise for other <literal>OR REPLACE</literal> options.)
-      Using <literal>OR REPLACE</literal> unnecessarily not only has a risk
-      of accidentally overwriting someone else's function, but it creates a
-      security hazard since the overwritten function would still be owned by
-      its original owner, who could modify it.
-     </para>
     </sect3>
    </sect2>