id summary reporter owner description type status priority milestone component version resolution keywords cc 5150 postgis_extension_AddToSearchPath should take input as text instead of varchar, helpers should use CREATE FUNCTION robe robe "This is a security change. It is possible for a user to create a function postgis_extension_AddToSearchPath(text) in the same schema as the postgis_extension_AddToSearchPath(varchar) we defined. This could allow a rogue user to have their version of function run during extension create/updates instead of the one we ship. Also as general best practice we should use CREATE FUNCTION instead of CREATE OR REPLACE FUNCTION. We can easily change for the helper functions since they are created as part of install and then dropped after." defect closed medium PostGIS 2.5.7 build master fixed