Skip site navigation (1) Skip section navigation (2)

Re: Security hole in PL/pgSQL

From: KuroiNeko <evpopkov(at)carrier(dot)kiev(dot)ua>
To: pgsql-hackers(at)postgreSQL(dot)org
Subject: Re: Security hole in PL/pgSQL
Date: 2001-01-29 16:01:02
Message-ID: 3A7593BE.nail1NF1IN0JY@ed.ed (view raw, whole thread or download thread mbox)
Lists: pgsql-hackers
> the new EXECUTE command in PL/pgSQL is a security hole.

 This actually  depends but I must  admit that I'm concerned  too. However,
the responsibility  for the results  should be split adequately  IMHO. DBAs
should  take care  about unathorized  access  to PGSQL  server, that's  why
pg_hba.conf  is there.  Programmers allowed  in  must make  sure that  only
relative paths or trusted directories are accessed (stripping out `../' and
prepending a  pre-defined path is  a must) Also, implementation  of EXECUTE
should probably rely upon execle() with environment dropped to known secure
 Sorry if this all is already taken into consideration. Just want to second
Jan's statement.



In response to

pgsql-hackers by date

Next:From: robert gravsjoDate: 2001-01-29 16:19:21
Subject: Re: BLOB HOWTO??
Previous:From: Tom LaneDate: 2001-01-29 15:57:01
Subject: Re: Security hole in PL/pgSQL

Privacy Policy | About PostgreSQL
Copyright © 1996-2017 The PostgreSQL Global Development Group