From: | Steve White <swhite(at)aip(dot)de> |
---|---|
To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
Cc: | pgsql-bugs(at)postgresql(dot)org |
Subject: | Re: Feature request: include script file into function body |
Date: | 2011-02-01 16:44:22 |
Message-ID: | 20110201164422.GA3023@cashmere.aip.de |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-bugs |
Hi Tom,
This seems like a detail that is beside the point I'm making.
But security is important, so let's think about it.
PostgreSQL has an \i command, which loads the text from any readable file
interpretes and executes it as further PostgreSQL commands. I'm proposing
a similar mechanism that would load a file containing script language, and
process it as though it were in the current funcition body.
Isn't the \i command a similar security hole?
If somehow loading script text for a function is substantially different
from loading it by \i, and if there is some problem, it seems to me that
some simple restriction could solve it, such as restricting the directories
from which such files can be read. But I'm just guessing here.
I'll leave it to the security experts explicitly by amending my original
proposal with this:
" -- without doing anything stupid that would open a security hole."
Cheers again!
On 1.02.11, Tom Lane wrote:
> Steve White <swhite(at)aip(dot)de> writes:
> > It would be really nice to have a way to load script (especially Python
> > and Perl) from a separate file into a function body.
>
> This seems like a security hole, ie, you could use it to read any file
> the backend has access to.
>
> regards, tom lane
>
--
| - - - - - - - - - - - - - - - - - - - - - - - - -
| Steve White +49(331)7499-202
| E-Science Zi. 27 Villa Turbulenz
| - - - - - - - - - - - - - - - - - - - - - - - - -
| Astrophysikalisches Institut Potsdam (AIP)
| An der Sternwarte 16, D-14482 Potsdam
|
| Vorstand: Prof. Dr. Matthias Steinmetz, Peter A. Stolz
|
| Stiftung privaten Rechts, Stiftungsverzeichnis Brandenburg: III/7-71-026
| - - - - - - - - - - - - - - - - - - - - - - - - -
From | Date | Subject | |
---|---|---|---|
Next Message | Pavel Stehule | 2011-02-01 17:00:13 | Re: Feature request: include script file into function body |
Previous Message | Tom Lane | 2011-02-01 16:07:52 | Re: pg_dump doesn't save altered column information for inherited columns |