Jan Wieck <janwieck(at)Yahoo(dot)com> writes:
> the new EXECUTE command in PL/pgSQL is a security hole.
> PL/pgSQL is a trusted procedural language, meaning that
> regular users can write code in it. With the new EXECUTE
> command, someone could read and write arbitrary files under
> the postgres UNIX-userid using the COPY command.
Huh? This would only be true if all operations inside plpgsql are
executed as superuser, which they are not. Seems to me the existing
defense against non-superuser using COPY is sufficient.
regards, tom lane
In response to
pgsql-hackers by date
|Next:||From: KuroiNeko||Date: 2001-01-29 16:01:02|
|Subject: Re: Security hole in PL/pgSQL|
|Previous:||From: Tom Lane||Date: 2001-01-29 15:51:30|
|Subject: Re: [ANNOUNCE] PostgreSQL v7.1BETA4 Bundled and Available ... |