| From: | Stefan Keller <sfkeller(at)gmail(dot)com> |
|---|---|
| To: | Robert Haas <robertmhaas(at)gmail(dot)com> |
| Cc: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: Proposal: functions get_text() or get_url() |
| Date: | 2009-05-23 08:56:45 |
| Message-ID: | 25bc040b0905230156i14595ae7w526e04733459d5b5@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Ok.
But again: There is a library mentioned and documented in the famous
PostgreSQL book from Douglas & Douglas called pgcurl (
http://gborg.postgresql.org/project/pgcurl/ ). Where's this gone?
Yours, S.
2009/5/20 Robert Haas <robertmhaas(at)gmail(dot)com>
> On Wed, May 20, 2009 at 6:34 AM, Stefan Keller <sfkeller(at)gmail(dot)com> wrote:
> > Questions: Don't see, why this would be a security issue: How could such
> a
> > function do any harm? large files?
>
> No, large files aren't the problem. The problem is that the
> PostgreSQL server process may have rights to access things that the
> user doesn't. For a simple case, imagine that PostgreSQL is behind a
> firewall and the user is in front of the firewall, but there's a port
> open to permit access to PostgreSQL. Now imagine that there is a web
> server behind the firewall. The firewall blocks the user from
> accessing the web server directly, but the user can ask PostgreSQL to
> download the URLs for him. In that way, the user can bypass the
> firewall. (Consider for example Andrew Chernow's company, which has
> clients connecting to their database server from all over the
> Internet...)
>
> ...Robert
>
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Zdenek Kotala | 2009-05-23 18:52:49 | Re: [PATCH] cleanup hashindex for pg_migrator hashindex compat mode (for 8.4) |
| Previous Message | Pavel Stehule | 2009-05-23 05:18:55 | Re: question about pg_proc |