| From: | Heikki Linnakangas <hlinnaka(at)iki(dot)fi> |
|---|---|
| To: | David Fetter <david(at)fetter(dot)org>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | Fabien COELHO <coelho(at)cri(dot)ensmp(dot)fr>, PostgreSQL Development <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: \gsetenv |
| Date: | 2020-12-20 20:42:40 |
| Message-ID: | df6b753d-3521-25d1-d01b-b488ebc6b52d@iki.fi |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On 20/12/2020 21:05, David Fetter wrote:
> We have plenty of ways to spawn shells and cause havoc, and we
> wouldn't be able to block them all even if we decided to put a bunch
> of pretty onerous restrictions on psql at this very late date. We have
> \set, backticks, \!, and bunches of things less obvious that could,
> even without a compromised server, cause real mischief.
There is a big difference between having to trust the server or not.
Yeah, you could cause a lot of mischief if you let a user run arbitrary
psql scripts on your behalf. But that's no excuse for opening up a whole
another class of problems.
- Heikki
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Zhihong Yu | 2020-12-20 20:44:03 | Re: proposal: schema variables |
| Previous Message | Zhihong Yu | 2020-12-20 19:25:24 | Re: proposal: schema variables |