Re: Feature request: include script file into function body

From: Steve White <swhite(at)aip(dot)de>
To: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
Cc: pgsql-bugs(at)postgresql(dot)org
Subject: Re: Feature request: include script file into function body
Date: 2011-02-01 16:44:22
Message-ID: 20110201164422.GA3023@cashmere.aip.de
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-bugs

Hi Tom,

This seems like a detail that is beside the point I'm making.
But security is important, so let's think about it.

PostgreSQL has an \i command, which loads the text from any readable file
interpretes and executes it as further PostgreSQL commands. I'm proposing
a similar mechanism that would load a file containing script language, and
process it as though it were in the current funcition body.

Isn't the \i command a similar security hole?

If somehow loading script text for a function is substantially different
from loading it by \i, and if there is some problem, it seems to me that
some simple restriction could solve it, such as restricting the directories
from which such files can be read. But I'm just guessing here.

I'll leave it to the security experts explicitly by amending my original
proposal with this:

" -- without doing anything stupid that would open a security hole."

Cheers again!

On 1.02.11, Tom Lane wrote:
> Steve White <swhite(at)aip(dot)de> writes:
> > It would be really nice to have a way to load script (especially Python
> > and Perl) from a separate file into a function body.
>
> This seems like a security hole, ie, you could use it to read any file
> the backend has access to.
>
> regards, tom lane
>

--
| - - - - - - - - - - - - - - - - - - - - - - - - -
| Steve White +49(331)7499-202
| E-Science Zi. 27 Villa Turbulenz
| - - - - - - - - - - - - - - - - - - - - - - - - -
| Astrophysikalisches Institut Potsdam (AIP)
| An der Sternwarte 16, D-14482 Potsdam
|
| Vorstand: Prof. Dr. Matthias Steinmetz, Peter A. Stolz
|
| Stiftung privaten Rechts, Stiftungsverzeichnis Brandenburg: III/7-71-026
| - - - - - - - - - - - - - - - - - - - - - - - - -

In response to

Responses

Browse pgsql-bugs by date

  From Date Subject
Next Message Pavel Stehule 2011-02-01 17:00:13 Re: Feature request: include script file into function body
Previous Message Tom Lane 2011-02-01 16:07:52 Re: pg_dump doesn't save altered column information for inherited columns