Hi, On Tue, Jun 09, 2026 at 10:12:48PM -0400, Tom Lane wrote: > Michael Paquier <[email protected]> writes: > > On Tue, Jun 09, 2026 at 09:08:50AM +0000, Bertrand Drouvot wrote: > >> Now I wonder if we shoud not "protect" the operators too. They could also > >> lead to wrong results (if not worst). > > > Kind of true. Still we have been pretty lax about the operators as > > they also lead to less readable queries. > > We disclaimed security against odd search_paths for these queries long ago, > precisely because wrapping every operator in PG_OPERATOR(pg_catalog.*) > would be far too tedious and destructive of readability --- not to > mention that there are some syntaxes such as IN that don't even offer > the option to do that.
I do agree that doing so would "destroy" the readability. I did not look in detail, but what about forcing ALWAYS_SECURE_SEARCH_PATH_SQL before the queries and restore the search_path once the query is done? (that way that would not impact the readability) Regards, -- Bertrand Drouvot PostgreSQL Contributors Team RDS Open Source Databases Amazon Web Services: https://aws.amazon.com
