Re: Including PL/PgSQL by default

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: "Greg Sabino Mullane" <greg(at)turnstep(dot)com>
Cc: pgsql-hackers(at)postgresql(dot)org
Subject: Re: Including PL/PgSQL by default
Date: 2008-02-21 05:40:03
Message-ID: 3057.1203572403@sss.pgh.pa.us
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

"Greg Sabino Mullane" <greg(at)turnstep(dot)com> writes:
> I'm not sure I understand the security implications of turning plpgsql on:
> has there been some security concerns in the past? Does having access
> to plpgsql really faciliate an attacker that much above what they might
> already be capable of without it? It seems quite trivial to write a
> function in sql that ties up resources just as effectively as plpgsql.

I grow weary of repeating this: it's not about resource consumption, nor
about potential security holes in plpgsql itself. It's about handing
attackers the capability to further exploit *other* security holes.

regards, tom lane

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Tom Lane 2008-02-21 06:08:36 VARATT_EXTERNAL_GET_POINTER is not quite there yet
Previous Message ITAGAKI Takahiro 2008-02-21 04:35:23 Re: ANALYZE to be ignored by VACUUM