Re: Possible major bug in PlPython (plus some other ideas)

From: "Ross J(dot) Reedstrom" <reedstrm(at)rice(dot)edu>
To: pgsql-hackers(at)postgresql(dot)org
Subject: Re: Possible major bug in PlPython (plus some other ideas)
Date: 2001-11-09 21:28:45
Message-ID: 20011109152845.A16515@rice.edu
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

On Fri, Nov 09, 2001 at 03:25:04PM -0500, Doug McNaught wrote:
> Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> writes:
>
> > What worries me is not so much this particular hole, which is easily
> > plugged now that we know about it, as that it suggests that Python's
> > idea of a restricted environment is considerably less restricted than
> > we would like. Perhaps there are other facilities that need to be
> > turned off as well?
>
> Could be. FWIW, Zope (www.zope.org) allows for Python scripts, created
> and managed through the web, that run in a "sandbox" with many of the
> same restrictions as PG puts on untrusted languages--they actually
> disallow regex matching so you can't hang the webserver thread with a
> regex that backtracks forever. Might be worthhhile for the plpython
> folks to take a look at Zope.

And it took _forever_ to convince the Zope folks to put it in, for this
very reason. Those who wanted python scripts (through the web interface,
as opposed to through the filesystem) had to jump through all the hoops
to make it safe enough.

Ross

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Kevin Jacobs 2001-11-09 21:34:26 Re: Possible major bug in PlPython (plus some other ideas)
Previous Message Frans Thamura 2001-11-09 20:47:45 Postgre for Windows