"Thomer M. Gil" <postgresql(at)thomer(dot)com> writes:
> More details and the, in my opinion, somewhat reckless response by one
> of the Debian postgresql package maintainers are available at:
The response you're going to get here is not a lot different from what
you got there, mainly because it's mostly the same people here ;-).
I tend to agree with Peter that you haven't presented a reason to panic.
I'm not aware of any supported situation where psql would fail to parse
a COPY command output by pg_dump. It could happen when trying to load
newer dump data into an older server, but that's unsupported, and we
have no way to retroactively fix the behavior of older versions anyway.
So there's no point in treating this as a security issue.
Still, it looks like it would be relatively easy to suppress evaluation
of backticked arguments once we recognize that the backslash command has
failed, and I would say that that's a reasonable change to make on the
principle of least surprise.
regards, tom lane
In response to
pgsql-bugs by date
|Next:||From: mjmayfield||Date: 2004-12-17 19:50:00|
|Subject: unsubscribe pgsql-admin|
|Previous:||From: Thomer M. Gil||Date: 2004-12-17 18:38:02|
|Subject: syntax error causes crafted data to be executed in shell|