From: | Fabien COELHO <coelho(at)cri(dot)ensmp(dot)fr> |
---|---|
To: | Pavel Stehule <pavel(dot)stehule(at)gmail(dot)com> |
Cc: | Craig Ringer <craig(at)2ndquadrant(dot)com>, Andrew Dunstan <andrew(dot)dunstan(at)2ndquadrant(dot)com>, Fabrízio de Royes Mello <fabriziomello(at)gmail(dot)com>, Joe Conway <mail(at)joeconway(dot)com>, PostgreSQL Hackers <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: proposal: session server side variables |
Date: | 2016-12-30 13:45:47 |
Message-ID: | alpine.DEB.2.20.1612301403310.32017@lancre |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
Please Pavel, could you avoid citing a whole long mail just for commenting
one point?
>> * Why is it so necessary for plpgsql variables to be implemented as
>> persistent entities that are in the catalogs in order for you to
>> achieve the static checking you want to? Is this due to limitations of
>> your approach in plpgsql_check, or more fundamental issues? Explain.
>
> There are few reasons:
>
> 1. plpgsql_check cannot to know a order of calls of functions.
Indeed.
> So any dynamic created object and related operations are not checkable
> by plpgsql_check (or any tool).
NO. Your first sentence does not imply this very general statement.
Some things that I think can be statically proved within a session, that
would cover some security concerns:
(1) For statically named private dynamic variables declared/used at
different points it can be checked without relying on the function order
that all declarations are consistent, i.e. the same type, same default
value if any.
(2) Then the value of the variable is either the default value (eg NULL)
or the assigned value at points of assignement, which must be a valid
value for the type, otherwise the assignement would have failed.
(3) If there is only one assignment in the code, then you know that the
variable can only have been assigned a non default value from this point.
Probably nice to have in a security context, but it requires you to be
sure that you have access to all the code...
(4) For a session boolean, then for code "IF @var IS NOT NULL AND NOT @var
THEN RAISE 'cannot access'; END", in a sequence, then one can prove that
for any pl code after this point in the sequence @var has been previously
assigned to true, otherwise the exception would have been raised.
AFAICS, for "static" session variables the only difference is that the
declaration consistency (1) is slightly more built-in, although you still
have to check that no function DROP/re-CREATE the session variable with a
different type, which is quite close to checking (1) for a dynamic session
variable.
Other properties (2), (3), (4) are exactly the same.
> 2. [...] 3.
Please could you put your pros & cons in the wiki as well?
Or don't you want to use it?
--
Fabien.
From | Date | Subject | |
---|---|---|---|
Next Message | Michael Paquier | 2016-12-30 13:51:42 | Re: Assignment of valid collation for SET operations on queries with UNKNOWN types. |
Previous Message | Michael Paquier | 2016-12-30 13:45:34 | Re: Potential data loss of 2PC files |