Skip site navigation (1) Skip section navigation (2)

Re: Security hole in PL/pgSQL

From: KuroiNeko <evpopkov(at)carrier(dot)kiev(dot)ua>
To: pgsql-hackers(at)postgreSQL(dot)org
Subject: Re: Security hole in PL/pgSQL
Date: 2001-01-29 16:01:02
Message-ID: 3A7593BE.nail1NF1IN0JY@ed.ed (view raw or flat)
Thread:
Lists: pgsql-hackers
> the new EXECUTE command in PL/pgSQL is a security hole.

 This actually  depends but I must  admit that I'm concerned  too. However,
the responsibility  for the results  should be split adequately  IMHO. DBAs
should  take care  about unathorized  access  to PGSQL  server, that's  why
pg_hba.conf  is there.  Programmers allowed  in  must make  sure that  only
relative paths or trusted directories are accessed (stripping out `../' and
prepending a  pre-defined path is  a must) Also, implementation  of EXECUTE
should probably rely upon execle() with environment dropped to known secure
minimum.
 Sorry if this all is already taken into consideration. Just want to second
Jan's statement.


--

 


In response to

pgsql-hackers by date

Next:From: robert gravsjoDate: 2001-01-29 16:19:21
Subject: Re: BLOB HOWTO??
Previous:From: Tom LaneDate: 2001-01-29 15:57:01
Subject: Re: Security hole in PL/pgSQL

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group