From: | Pavel Stehule <pavel(dot)stehule(at)gmail(dot)com> |
---|---|
To: | Steve White <swhite(at)aip(dot)de> |
Cc: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, pgsql-bugs(at)postgresql(dot)org |
Subject: | Re: Feature request: include script file into function body |
Date: | 2011-02-01 17:00:13 |
Message-ID: | AANLkTimyizgftsdi4br6U=heyhBFs4kUYOYm10DS+-5e@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-bugs |
Hello
2011/2/1 Steve White <swhite(at)aip(dot)de>:
> Hi Tom,
>
> This seems like a detail that is beside the point I'm making.
> But security is important, so let's think about it.
>
> PostgreSQL has an \i command, which loads the text from any readable file
> interpretes and executes it as further PostgreSQL commands. I'm proposing
> a similar mechanism that would load a file containing script language, and
> process it as though it were in the current funcition body.
>
> Isn't the \i command a similar security hole?
if you ran psql under "postgres" account, then it is.
I don't think, so your idea is good too. What about caching? Code of
stored procedures stays in session cache. Who will ensure, so your
cache is fresh?
Why you need a direct link to source files?
Regards
Pavel Stehule
>
> If somehow loading script text for a function is substantially different
> from loading it by \i, and if there is some problem, it seems to me that
> some simple restriction could solve it, such as restricting the directories
> from which such files can be read. But I'm just guessing here.
>
> I'll leave it to the security experts explicitly by amending my original
> proposal with this:
>
> " -- without doing anything stupid that would open a security hole."
>
> Cheers again!
>
>
> On 1.02.11, Tom Lane wrote:
>> Steve White <swhite(at)aip(dot)de> writes:
>> > It would be really nice to have a way to load script (especially Python
>> > and Perl) from a separate file into a function body.
>>
>> This seems like a security hole, ie, you could use it to read any file
>> the backend has access to.
>>
>> regards, tom lane
>>
>
> --
> | - - - - - - - - - - - - - - - - - - - - - - - - -
> | Steve White +49(331)7499-202
> | E-Science Zi. 27 Villa Turbulenz
> | - - - - - - - - - - - - - - - - - - - - - - - - -
> | Astrophysikalisches Institut Potsdam (AIP)
> | An der Sternwarte 16, D-14482 Potsdam
> |
> | Vorstand: Prof. Dr. Matthias Steinmetz, Peter A. Stolz
> |
> | Stiftung privaten Rechts, Stiftungsverzeichnis Brandenburg: III/7-71-026
> | - - - - - - - - - - - - - - - - - - - - - - - - -
>
> --
> Sent via pgsql-bugs mailing list (pgsql-bugs(at)postgresql(dot)org)
> To make changes to your subscription:
> http://www.postgresql.org/mailpref/pgsql-bugs
>
From | Date | Subject | |
---|---|---|---|
Next Message | Kevin Grittner | 2011-02-01 17:14:26 | Re: Feature request: include script file into function body |
Previous Message | Steve White | 2011-02-01 16:44:22 | Re: Feature request: include script file into function body |