Skip site navigation (1) Skip section navigation (2)

Re: Feature request: include script file into function body

From: Steve White <swhite(at)aip(dot)de>
To: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
Cc: pgsql-bugs(at)postgresql(dot)org
Subject: Re: Feature request: include script file into function body
Date: 2011-02-01 16:44:22
Message-ID: 20110201164422.GA3023@cashmere.aip.de (view raw or flat)
Thread:
Lists: pgsql-bugs
Hi Tom,

This seems like a detail that is beside the point I'm making.
But security is important, so let's think about it.

PostgreSQL has an \i command, which loads the text from any readable file
interpretes and executes it as further PostgreSQL commands.  I'm proposing
a similar mechanism that would load a file containing script language, and
process it as though it were in the current funcition body.

Isn't the \i command a similar security hole?

If somehow loading script text for a function is substantially different 
from loading it by \i, and if there is some problem, it seems to me that
some simple restriction could solve it, such as restricting the directories 
from which such files can be read.  But I'm just guessing here.

I'll leave it to the security experts explicitly by amending my original
proposal with this:

        " -- without doing anything stupid that would open a security hole."

Cheers again!


On  1.02.11, Tom Lane wrote:
> Steve White <swhite(at)aip(dot)de> writes:
> > It would be really nice to have a way to load script (especially Python
> > and Perl) from a separate file into a function body.
> 
> This seems like a security hole, ie, you could use it to read any file
> the backend has access to.
> 
> 			regards, tom lane
> 

-- 
| -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -
| Steve White                                             +49(331)7499-202
| E-Science                                        Zi. 27  Villa Turbulenz 
| -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -
| Astrophysikalisches Institut Potsdam (AIP)
| An der Sternwarte 16, D-14482 Potsdam
|
| Vorstand: Prof. Dr. Matthias Steinmetz, Peter A. Stolz
|
| Stiftung privaten Rechts, Stiftungsverzeichnis Brandenburg: III/7-71-026
| -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -

In response to

Responses

pgsql-bugs by date

Next:From: Pavel StehuleDate: 2011-02-01 17:00:13
Subject: Re: Feature request: include script file into function body
Previous:From: Tom LaneDate: 2011-02-01 16:07:52
Subject: Re: pg_dump doesn't save altered column information for inherited columns

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group