| From: | Alvaro Herrera <alvherre(at)commandprompt(dot)com> |
|---|---|
| To: | Marko Kreen <markokr(at)gmail(dot)com> |
| Cc: | Postgres Hackers <pgsql-hackers(at)postgresql(dot)org>, Joe Conway <mail(at)joeconway(dot)com> |
| Subject: | Re: [patch] fix dblink security hole |
| Date: | 2008-09-12 17:14:36 |
| Message-ID: | 20080912171436.GH8854@alvh.no-ip.org |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Marko Kreen escribió:
> Currently dblink allows regular users to initiate libpq connection
> to user-provided connection string. This breaks the default
> policy that normal users should not be allowed to freely interact
> with outside environment.
Since people is now working on implementing the SQL/MED stuff to manage
connections, should we bounce this patch? With luck, the CREATE
CONNECTION (?) stuff will be done for the next commitfest and we can
just switch dblink to use that instead.
Thoughts? Can we really expect SQL/MED connection mgmt to be done for
the next fest?
--
Alvaro Herrera http://www.CommandPrompt.com/
The PostgreSQL Company - Command Prompt, Inc.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | David Fetter | 2008-09-12 17:21:25 | Re: [patch] fix dblink security hole |
| Previous Message | David E. Wheeler | 2008-09-12 16:50:25 | Re: [Review] Tests citext casts by David Wheeler. |