Re: Feature request: include script file into function body

Hi Pavel,

On 1.02.11, Pavel Stehule wrote:
> Hello
>
> 2011/2/1 Steve White <swhite(at)aip(dot)de>:
> > Hi Tom,
> >
> > This seems like a detail that is beside the point I'm making.
> > But security is important, so let's think about it.
> >
> > PostgreSQL has an \i command, which loads the text from any readable file
> > interpretes and executes it as further PostgreSQL commands.  I'm proposing
> > a similar mechanism that would load a file containing script language, and
> > process it as though it were in the current funcition body.
> >
> > Isn't the \i command a similar security hole?
>
> if you ran psql under "postgres" account, then it is.
>
> I don't think, so your idea is good too. What about caching? Code of
> stored procedures stays in session cache. Who will ensure, so your
> cache is fresh?
>
Another good point that is beside the point I was making.

But OK we can discuss that too. I would think, it should work exactly as
if the text had been textually included, the first time the function is
compiled, exactly as the inline text is handled now.

> Why you need a direct link to source files?
>
There are several reasons, a couple of which are mentioned in the
discussion in the pgsql-general list.
http://archives.postgresql.org/pgsql-general/2011-01/msg00870.php

Cheers!

> Regards
>
> Pavel Stehule
>
> >
> > If somehow loading script text for a function is substantially different
> > from loading it by \i, and if there is some problem, it seems to me that
> > some simple restriction could solve it, such as restricting the directories
> > from which such files can be read.  But I'm just guessing here.
> >
> > I'll leave it to the security experts explicitly by amending my original
> > proposal with this:
> >
> >        " -- without doing anything stupid that would open a security hole."
> >
> > Cheers again!
> >
> >
> > On  1.02.11, Tom Lane wrote:
> >> Steve White <swhite(at)aip(dot)de> writes:
> >> > It would be really nice to have a way to load script (especially Python
> >> > and Perl) from a separate file into a function body.
> >>
> >> This seems like a security hole, ie, you could use it to read any file
> >> the backend has access to.
> >>
> >>                       regards, tom lane
> >>
> >
> > --
> > | -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -
> > | Steve White                                             +49(331)7499-202
> > | E-Science                                        Zi. 27  Villa Turbulenz
> > | -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -
> > | Astrophysikalisches Institut Potsdam (AIP)
> > | An der Sternwarte 16, D-14482 Potsdam
> > |
> > | Vorstand: Prof. Dr. Matthias Steinmetz, Peter A. Stolz
> > |
> > | Stiftung privaten Rechts, Stiftungsverzeichnis Brandenburg: III/7-71-026
> > | -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -
> >
> > --
> > Sent via pgsql-bugs mailing list (pgsql-bugs(at)postgresql(dot)org)
> > To make changes to your subscription:
> > http://www.postgresql.org/mailpref/pgsql-bugs
> >
>

--
| - - - - - - - - - - - - - - - - - - - - - - - - -
| Steve White +49(331)7499-202
| E-Science Zi. 27 Villa Turbulenz
| - - - - - - - - - - - - - - - - - - - - - - - - -
| Astrophysikalisches Institut Potsdam (AIP)
| An der Sternwarte 16, D-14482 Potsdam
|
| Vorstand: Prof. Dr. Matthias Steinmetz, Peter A. Stolz
|
| Stiftung privaten Rechts, Stiftungsverzeichnis Brandenburg: III/7-71-026
| - - - - - - - - - - - - - - - - - - - - - - - - -