| From: | Andrew Dunstan <andrew(at)dunslane(dot)net> |
|---|---|
| To: | Neil Conway <neilc(at)samurai(dot)com> |
| Cc: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, pgsql-hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: 7.4 changes |
| Date: | 2004-10-19 12:47:20 |
| Message-ID: | 41750CD8.6070300@dunslane.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Neil Conway wrote:
>On Tue, 2004-10-19 at 02:45, Andrew Dunstan wrote:
>
>
>>*shrug* OK. Then plperl should probably not be regarded as being as
>>"trusted" as we would like. Note that old versions of Safe.pm have been
>>the subject of security advisories such as this one
>>http://www.securityfocus.com/bid/6111/info/ for some time.
>>
>>
>
>Perhaps a compromise would be to require the newer version of Safe.pm,
>but leave the other changes for 8.0. Upgrading Safe.pm can presumably be
>done without needing any changes to the rest of one's pl/perl code.
>
>
>
>
s/the rest of/any of/
Indeed it can.
The other thing I suggested was removing the :base_io set of ops - I
would regard plperl functions that did things like printing to STDOUT as
broken to start with.
But maybe we can just live with what we have and advertise that 8.0's
plperl is more secure.
cheers
andrew
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Alvaro Herrera | 2004-10-19 13:02:13 | Re: 7.4 changes |
| Previous Message | Marc G. Fournier | 2004-10-19 12:32:22 | Re: Time off |