Re: Feature request: include script file into function body

From: Gary Doades <gpd(at)gpdnet(dot)co(dot)uk>
To: pgsql-bugs(at)postgresql(dot)org
Subject: Re: Feature request: include script file into function body
Date: 2011-02-01 18:55:20
Message-ID: 4D485718.6010402@gpdnet.co.uk
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-bugs

On 01/02/2011 6:50 PM, Steve White wrote:
> Hi again, all,
>
> OK I think I now know what the misunderstanding is.
>
>> [Please don't top-post. Rearranged for clarity.]
>>
>> Steve White<swhite(at)aip(dot)de> wrote:
>>> On 1.02.11, Tom Lane wrote:
>>>> Steve White<swhite(at)aip(dot)de> writes:
>>>>> It would be really nice to have a way to load script (especially
>>>>> Python and Perl) from a separate file into a function body.
>>>> This seems like a security hole, ie, you could use it to read any
>>>> file the backend has access to.
>>
>>> Isn't the \i command a similar security hole?
>>
>> That is run by a client program on a client machine. If that is
>> what you had in mind, a modification to the CREATE FUNCTION syntax
>> is probably not the way to go. Just to throw a hypothetical out
>> there, were you looking to effectively do a \i inside the string
>> literal which is the function body, picking up a *client-side* file?
>>
>> That has its own problems, of course, but I'm just trying to get us
>> onto the same page.
>>
>> -Kevin
>>
> I guess the "FROM filename" syntax wasn't a great choice, as it suggests
> something completely different from what I was otherwise describing.
> (In my own defense: I repeatedly qualified the syntax as a suggestion.)
>
> I *DO NOT MEAN* that a query should run about grabbing files off the
> server, or wherever.
>
> I meant something like the replacement that happens with the \i command
> in loading SQL, and under similar circumstances, except that somehow
> non-SQL code is loadad in a function body.
But functions *run* on the server, in the postgres server backend, so it
would have to grab files from the server, which is where the security
issue comes in.

The \i command *runs* on the client under your own account and reads
text into the *client*, not the server. The two things are completely
different and run in completely different places.

Cheers,
Gary.

In response to

Browse pgsql-bugs by date

  From Date Subject
Next Message Tom Lane 2011-02-01 19:08:44 Re: Feature request: include script file into function body
Previous Message Kevin Grittner 2011-02-01 18:53:19 Re: Feature request: include script file into function body