| From: | Stephen Frost <sfrost(at)snowman(dot)net> |
|---|---|
| To: | Phil Frost <indigo(at)bitglue(dot)com> |
| Cc: | pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: lastval exposes information that currval does not |
| Date: | 2006-07-10 21:48:18 |
| Message-ID: | 20060710214817.GA17269@kenobi.snowman.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
* Phil Frost (indigo(at)bitglue(dot)com) wrote:
> I haven't found a way to do this yet, but I wouldn't be suprised if
> there is a clever way, especially considering C extensions that might
> come from contrib or other sources. It seems like there is a good deal
> of potential for non-malicious developers to open unknowingly serious
> security holes. I think lastval is a great example of this potential;
> fortunately sequence values are rarely compromising. Imagine the
> consequences of a function which returns the last inserted row in a
> similar manner.
Yes, you can compromise the security of the system by loading C modules.
That's not going to change. If you find examples of such compromises in
core, or in contrib, please bring them to our attention. As for from
other sources, well, you'd have to bring it up with that source..
Thanks,
Stephen
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tzahi Fadida | 2006-07-10 22:50:40 | Re: CTIDs invalidations and dropping columns. |
| Previous Message | Florian G. Pflug | 2006-07-10 21:40:10 | Re: Warm-Standby using WAL archiving / Seperate pg_restorelog |