Skip site navigation (1) Skip section navigation (2)

Re: Feature request: include script file into function body

From: Gary Doades <gpd(at)gpdnet(dot)co(dot)uk>
To: pgsql-bugs(at)postgresql(dot)org
Subject: Re: Feature request: include script file into function body
Date: 2011-02-01 18:55:20
Message-ID: 4D485718.6010402@gpdnet.co.uk (view raw or flat)
Thread:
Lists: pgsql-bugs
On 01/02/2011 6:50 PM, Steve White wrote:
> Hi again, all,
>
> OK I think I now know what the misunderstanding is.
>
>> [Please don't top-post.  Rearranged for clarity.]
>>
>> Steve White<swhite(at)aip(dot)de>  wrote:
>>> On  1.02.11, Tom Lane wrote:
>>>> Steve White<swhite(at)aip(dot)de>  writes:
>>>>> It would be really nice to have a way to load script (especially
>>>>> Python and Perl) from a separate file into a function body.
>>>> This seems like a security hole, ie, you could use it to read any
>>>> file the backend has access to.
>>
>>> Isn't the \i command a similar security hole?
>>
>> That is run by a client program on a client machine.  If that is
>> what you had in mind, a modification to the CREATE FUNCTION syntax
>> is probably not the way to go.  Just to throw a hypothetical out
>> there, were you looking to effectively do a \i inside the string
>> literal which is the function body, picking up a *client-side* file?
>>
>> That has its own problems, of course, but I'm just trying to get us
>> onto the same page.
>>
>> -Kevin
>>
> I guess the "FROM filename" syntax wasn't a great choice, as it suggests
> something completely different from what I was otherwise describing.
> (In my own defense: I repeatedly qualified the syntax as a suggestion.)
>
> I *DO NOT MEAN* that a query should run about grabbing files off the
> server, or wherever.
>
> I meant something like the replacement that happens with the \i command
> in loading SQL, and under similar circumstances, except that somehow
> non-SQL code is loadad in a function body.
But functions *run* on the server, in the postgres server backend, so it 
would have to grab files from the server, which is where the security 
issue comes in.

The \i command *runs* on the client under your own account and reads 
text into the *client*, not the server. The two things are completely 
different and run in completely different places.

Cheers,
Gary.


In response to

pgsql-bugs by date

Next:From: Tom LaneDate: 2011-02-01 19:08:44
Subject: Re: Feature request: include script file into function body
Previous:From: Kevin GrittnerDate: 2011-02-01 18:53:19
Subject: Re: Feature request: include script file into function body

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group