Re: BUG #16464: Unable to restore database backed up with pg_dump into sql that contains expression based index

On Tue, May 26, 2020 at 10:23 AM PG Bug reporting form <
noreply(at)postgresql(dot)org> wrote:

> The following bug has been logged on the website:
>
> Bug reference: 16464
> Logged by: pg user
> Email address: pguser17354(at)mailinator(dot)com
> PostgreSQL version: 12.3
> Operating system: Centos 6
> Description:
>
> Hello,
> Restoring from pg_dump fails if you have a table with expression based
> index
> where a stored function calls another function.
> Ex. SQL with steps to reproduce: https://pastebin.com/raw/CFgxtwSY
>
> Related to:
>
> https://wiki.postgresql.org/wiki/A_Guide_to_CVE-2018-1058:_Protect_Your_Search_Path
>
> Workaround:
> Removing "SELECT pg_catalog.set_config('search_path', '', false);" from the
> sql dump.
>

This isn't a bug. Your workaround is perfectly acceptable for an end-user
to attempt should they wish but it isn't something the project is going to
entertain - though I seem to recall a discussion of at least giving the
user control by adding a command line argument (as I mentioned before at
[1] but still cannot find the original thread).

An obvious failure to restore a backup is not going to win out in a
security risk comparison with being able to silently cause a privileged
user to execute problem code.

[1]
https://www.postgresql.org/message-id/CAKFQuwZ9xGQF%3DQTPUKUNoco9fjmM9WruCaDh5AmDc-RwQop0Cw%40mail.gmail.com

David J.