From: | Gary Doades <gpd(at)gpdnet(dot)co(dot)uk> |
---|---|
To: | pgsql-bugs(at)postgresql(dot)org |
Subject: | Re: Feature request: include script file into function body |
Date: | 2011-02-01 18:55:20 |
Message-ID: | 4D485718.6010402@gpdnet.co.uk |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-bugs |
On 01/02/2011 6:50 PM, Steve White wrote:
> Hi again, all,
>
> OK I think I now know what the misunderstanding is.
>
>> [Please don't top-post. Rearranged for clarity.]
>>
>> Steve White<swhite(at)aip(dot)de> wrote:
>>> On 1.02.11, Tom Lane wrote:
>>>> Steve White<swhite(at)aip(dot)de> writes:
>>>>> It would be really nice to have a way to load script (especially
>>>>> Python and Perl) from a separate file into a function body.
>>>> This seems like a security hole, ie, you could use it to read any
>>>> file the backend has access to.
>>
>>> Isn't the \i command a similar security hole?
>>
>> That is run by a client program on a client machine. If that is
>> what you had in mind, a modification to the CREATE FUNCTION syntax
>> is probably not the way to go. Just to throw a hypothetical out
>> there, were you looking to effectively do a \i inside the string
>> literal which is the function body, picking up a *client-side* file?
>>
>> That has its own problems, of course, but I'm just trying to get us
>> onto the same page.
>>
>> -Kevin
>>
> I guess the "FROM filename" syntax wasn't a great choice, as it suggests
> something completely different from what I was otherwise describing.
> (In my own defense: I repeatedly qualified the syntax as a suggestion.)
>
> I *DO NOT MEAN* that a query should run about grabbing files off the
> server, or wherever.
>
> I meant something like the replacement that happens with the \i command
> in loading SQL, and under similar circumstances, except that somehow
> non-SQL code is loadad in a function body.
But functions *run* on the server, in the postgres server backend, so it
would have to grab files from the server, which is where the security
issue comes in.
The \i command *runs* on the client under your own account and reads
text into the *client*, not the server. The two things are completely
different and run in completely different places.
Cheers,
Gary.
From | Date | Subject | |
---|---|---|---|
Next Message | Tom Lane | 2011-02-01 19:08:44 | Re: Feature request: include script file into function body |
Previous Message | Kevin Grittner | 2011-02-01 18:53:19 | Re: Feature request: include script file into function body |