| From: | "Klaus Reger" <K(dot)Reger(at)twc(dot)de> |
|---|---|
| To: | tgl(at)sss(dot)pgh(dot)pa(dot)us |
| Cc: | pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: import/export of large objects on server-side |
| Date: | 2001-11-16 12:33:51 |
| Message-ID: | 62812.193.158.34.193.1005914031.squirrel@emailbox24.de |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
-------- Ursprüngliche Nachricht --------
Betreff: Re: [HACKERS] import/export of large objects on server-side
Von: "Klaus Reger" <K(dot)Reger(at)twc(dot)de>
An: <tgl(at)sss(dot)pgh(dot)pa(dot)us>
> Use the client-side LO import/export functions, instead.
>
>ok, i've read the config.h and the sources. I agree that this can be a
>security hole. But for our application we need lo-access from
>PL/PGSQL-Procedures (explicitly on the server). We have to check out
>documents, work with them and then check the next version in.
>
>Whats about an configuration-file entry, in the matter
>LO_DIR=/directory or none (which is the default).
>For our product we want to be compatible with the original sources of Pg,
>avoiding own patches in every new version.
Hi,
I've made a patch, that introduces an entry in the PostgreSQL-config file.
You can set a drirectory, where all imports/exports can happen. If nothing
is set (the default), no imports/exports on the server-side are allowed.
To enhance the security, no reading/writung is allowed from/to non-regular
files (block-devs, symlinks, etc.)
I hope, that this patch is secure enough and will be integrated.
Regards, Klaus
| Attachment | Content-Type | Size |
|---|---|---|
| lo_imp_exp.diff | application/octet-stream | 8.1 KB |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Zeugswetter Andreas SB SD | 2001-11-16 12:57:15 | Re: So, do we want to remove the "triggered data change" code? |
| Previous Message | Michael Meskes | 2001-11-16 11:38:11 | Re: ecpg test problem |