From: | Pavel Stehule <pavel(dot)stehule(at)gmail(dot)com> |
---|---|
To: | Gilles Darold <gilles(dot)darold(at)dalibo(dot)com> |
Cc: | PostgreSQL Hackers <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: proposal: psql \setfileref |
Date: | 2016-10-09 09:48:53 |
Message-ID: | CAFj8pRAuev1+MxJCjJDr1q-E_1OgwxnP_4keJrRaTuwQt4n_JA@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
hi
2016-10-04 9:18 GMT+02:00 Gilles Darold <gilles(dot)darold(at)dalibo(dot)com>:
> Le 03/10/2016 à 23:23, Gilles Darold a écrit :
> > Le 03/10/2016 à 23:03, Robert Haas a écrit :
> >> On Mon, Oct 3, 2016 at 3:54 PM, Gilles Darold <gilles(at)darold(dot)net>
> wrote:
> >>> 4) An other problem is that like this this patch will allow anyone to
> upload into a
> >>> column the content of any system file that can be read by postgres
> system user
> >>> and then allow non system user to read its content.
> >> I thought this was a client-side feature, so that it would let a
> >> client upload any file that the client can read, but not things that
> >> can only be read by the postgres system user.
> >>
> > Yes that's right, sorry for the noise, forget this fourth report.
> >
>
> After some more though there is still a security issue here. For a
> PostgreSQL user who also have login acces to the server, it is possible
> to read any file that the postgres system user can read, especially a
> .pgpass or a recovery.conf containing password.
>
here is new update - some mentioned issues are fixed + regress tests and
docs
regards
Pavel
>
>
> --
> Gilles Darold
> Consultant PostgreSQL
> http://dalibo.com - http://dalibo.org
>
>
>
> --
> Sent via pgsql-hackers mailing list (pgsql-hackers(at)postgresql(dot)org)
> To make changes to your subscription:
> http://www.postgresql.org/mailpref/pgsql-hackers
>
Attachment | Content-Type | Size |
---|---|---|
psql-setfileref-2016-10-09.patch | text/x-patch | 16.6 KB |
From | Date | Subject | |
---|---|---|---|
Next Message | Florian Weimer | 2016-10-09 11:39:57 | B-tree index row size limit |
Previous Message | Christoph Berg | 2016-10-09 09:18:03 | Re: Switch to unnamed POSIX semaphores as our preferred sema code? |