| From: | Mladen Gogala <mladen(dot)gogala(at)vmsinfo(dot)com> |
|---|---|
| To: | Michael Wood <esiotrot(at)gmail(dot)com> |
| Cc: | Andrej <andrej(dot)groups(at)gmail(dot)com>, Amish <amish(dot)pandya(at)in(dot)com>, "pgsql-novice(at)postgresql(dot)org" <pgsql-novice(at)postgresql(dot)org> |
| Subject: | Re: ERROR: invalid datatype 'FILE' |
| Date: | 2011-02-02 13:38:55 |
| Message-ID: | 4D495E6F.8070005@vmsinfo.com |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-novice |
Michael Wood wrote:
> I'll have to object to the "bug free" comment :)
>
> You don't check if the fopen() call succeeded.
>
> Also, if this code is run as root (e.g. from a cron job) then a local
> user could convince it to overwrite any arbitrary file just by
> creating a symlink in /tmp pointing to the file to overwrite (assuming
> /tmp/aaa doesn't exist before the malicious user creates the symlink,
> of course.)
>
>
You are correct, I admit my programming sins. With two bugs in two lines
of code, I am as good as Microsoft or Oracle. I'll have to start making
contributions to the Postgres community.
--
Mladen Gogala
Sr. Oracle DBA
1500 Broadway
New York, NY 10036
(212) 329-5251
www.vmsinfo.com
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Michael Wood | 2011-02-02 14:08:13 | Re: ERROR: invalid datatype 'FILE' |
| Previous Message | Michael Wood | 2011-02-02 07:56:58 | Re: ERROR: invalid datatype 'FILE' |