Quick Links

Re: [patch] plproxy v2

From:	Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To:	"Marko Kreen" <markokr(at)gmail(dot)com>
Cc:	"Andrew Sullivan" <ajs(at)commandprompt(dot)com>, pgsql-hackers(at)postgresql(dot)org
Subject:	Re: [patch] plproxy v2
Date:	2008-07-22 15:25:57
Message-ID:	28667.1216740357@sss.pgh.pa.us
Views:	Raw Message \| Whole Thread \| Download mbox \| Resend email
Thread:
Lists:	pgsql-hackers

"Marko Kreen" <markokr(at)gmail(dot)com> writes:
> And user can execute only pre-determines queries/functions on system2.

If that were actually the case then the security issue wouldn't loom
quite so large, but the dynamic_query example in the plproxy regression
tests provides a perfect example of how to ruin your security.

> Do you still see a big hole?

Truck-sized, at least.

The complaint here is not that it's impossible to use plproxy securely;
the complaint is that it's so very easy to use it insecurely.

regards, tom lane

In response to

Re: [patch] plproxy v2 at 2008-07-22 14:50:05 from Marko Kreen

Responses

Re: [patch] plproxy v2 at 2008-07-24 16:01:00 from Hannu Krosing

Browse pgsql-hackers by date

	From	Date	Subject
Next Message	Simon Riggs	2008-07-22 15:35:06	Plans for 8.4
Previous Message	Zdenek Kotala	2008-07-22 15:25:31	Re: pltcl_*mod commands are broken on Solaris 10