| From: | David Fetter <david(at)fetter(dot)org> |
|---|---|
| To: | Alvaro Herrera <alvherre(at)commandprompt(dot)com> |
| Cc: | Marko Kreen <markokr(at)gmail(dot)com>, Postgres Hackers <pgsql-hackers(at)postgresql(dot)org>, Joe Conway <mail(at)joeconway(dot)com> |
| Subject: | Re: [patch] fix dblink security hole |
| Date: | 2008-09-12 17:21:25 |
| Message-ID: | 20080912172125.GQ27694@fetter.org |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Fri, Sep 12, 2008 at 01:14:36PM -0400, Alvaro Herrera wrote:
> Marko Kreen escribió:
> > Currently dblink allows regular users to initiate libpq connection
> > to user-provided connection string. This breaks the default
> > policy that normal users should not be allowed to freely interact
> > with outside environment.
>
> Since people is now working on implementing the SQL/MED stuff to
> manage connections,
I don't see any code for this. Is there some?
> should we bounce this patch? With luck, the CREATE CONNECTION (?)
> stuff will be done for the next commitfest and we can just switch
> dblink to use that instead.
That would be great :)
> http://archives.postgresql.org/message-id/e51f66da0809050539x1b25ebb9t7fd664fd67b9f607@mail.gmail.com
>
> Thoughts? Can we really expect SQL/MED connection mgmt to be done
> for the next fest?
Connection management would be awesome. The whole SQL/MED spec is
gigantic, tho. Should we see about an implementation roadmap for the
parts we care about?
Cheers,
David.
--
David Fetter <david(at)fetter(dot)org> http://fetter.org/
Phone: +1 415 235 3778 AIM: dfetter666 Yahoo!: dfetter
Skype: davidfetter XMPP: david(dot)fetter(at)gmail(dot)com
Remember to vote!
Consider donating to Postgres: http://www.postgresql.org/about/donate
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2008-09-12 17:58:43 | Re: [Review] Tests citext casts by David Wheeler. |
| Previous Message | Alvaro Herrera | 2008-09-12 17:14:36 | Re: [patch] fix dblink security hole |