Re: Re: [Pljava-dev] Should creating a new base type require superuser status?

Thomas Hallgren <thomas(at)tada(dot)se> writes:
> Tom, could you please elaborate where you see a security hole?

The problem that we've seen in the past shows up when the user lies in
the CREATE TYPE command, specifying type representation properties that
are different from what the underlying functions expect. In particular,
if it's possible to pass a pass-by-value integer to a function
that's expecting a pass-by-reference datum, you can misuse the function
to access backend memory.

I gather from looking at the example that Kris referenced that there's
some interface code in between the SQL function call and the user's Java
code, and that that interface code is itself looking at the declared
properties of the SQL type to decide what to do. So to the extent that
that code is (a) bulletproof against inconsistencies and (b) not
subvertible by the PL/Java user, it might be that there's no hole in
practice. But assumption (b) seems pretty fragile to me.

regards, tom lane