| From: | Albe Laurenz <laurenz(dot)albe(at)wien(dot)gv(dot)at> |
|---|---|
| To: | "Hello World *EXTERN*" <worldanizer(at)gmail(dot)com>, "pgsql-general(at)postgresql(dot)org" <pgsql-general(at)postgresql(dot)org> |
| Subject: | Re: Security Issues: Allowing Clients to Execute SQL in the Backend. |
| Date: | 2014-04-30 09:44:04 |
| Message-ID: | A737B7A37273E048B164557ADEF4A58B17CF518F@ntex2010i.host.magwien.gv.at |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
Hello World wrote:
> Denial of service is indeed a problem. Is there a way to limit the execution time of a request?
Yes, setting statement_timeout.
But if a client can exectue arbitrary statements, that could also
be statements like:
SET statement_timeout=0;
SET work_mem=1024GB;
> I'm using libpq to communicate with the server.
>
> PS. I've just taken a look, it seems I could do some asynchronous queries, time them, then cancel them
> if they take too long.
>
> http://www.postgresql.org/docs/8.4/static/libpq-cancel.html
That might be a way to avoid that people just reset statement_timeout.
Of course someone could start a deadly query and then kill the client
before it has a chance to cancel it...
Yours,
Laurenz Albe
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Willy-Bas Loos | 2014-04-30 09:50:06 | Re: importing a messy text file |
| Previous Message | Willy-Bas Loos | 2014-04-30 09:41:42 | Re: importing a messy text file |