Re: allow building trusted languages without the untrusted versions

Robert Haas <robertmhaas(at)gmail(dot)com> writes:
> It's not just a question of whether it was meant to be SQL-callable --
> it's also a question of what arguments it was expecting to be called
> with. At the very least, you can cause the server to core dump if you
> pass something that isn't a valid pointer to a function that is
> expecting a pointer, which is something a CSP very likely does not
> want a customer to be able to do. I think, however, that there's every
> possibility that you can create more havoc than that. You can
> basically call a function that's expecting a pointer with a pointer to
> anything you can find or guess the memory address of. Maybe that's not
> enough control to cause anything worse than a server crash, but I sure
> wouldn't bet on it. There's a lot of functions floating around, and if
> none of them can be tricked into doing filesystem access today, well
> someone might add a new one tomorrow.

[ shrug... ] So is your point that we shouldn't bother to do anything?
I don't personally have a problem with leaving things where they stand
in this area. However, if we're going to do something, I think at
minimum it should involve blocking off everything we can identify as
straightforward reproducible methods to get disk access.

regards, tom lane