| From: | Gilles Darold <gilles(dot)darold(at)dalibo(dot)com> |
|---|---|
| To: | pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: proposal: psql \setfileref |
| Date: | 2016-10-04 07:18:02 |
| Message-ID: | eea311ad-e820-90b5-fc51-bd62b6709760@dalibo.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Le 03/10/2016 à 23:23, Gilles Darold a écrit :
> Le 03/10/2016 à 23:03, Robert Haas a écrit :
>> On Mon, Oct 3, 2016 at 3:54 PM, Gilles Darold <gilles(at)darold(dot)net> wrote:
>>> 4) An other problem is that like this this patch will allow anyone to upload into a
>>> column the content of any system file that can be read by postgres system user
>>> and then allow non system user to read its content.
>> I thought this was a client-side feature, so that it would let a
>> client upload any file that the client can read, but not things that
>> can only be read by the postgres system user.
>>
> Yes that's right, sorry for the noise, forget this fourth report.
>
After some more though there is still a security issue here. For a
PostgreSQL user who also have login acces to the server, it is possible
to read any file that the postgres system user can read, especially a
.pgpass or a recovery.conf containing password.
--
Gilles Darold
Consultant PostgreSQL
http://dalibo.com - http://dalibo.org
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Haribabu Kommi | 2016-10-04 07:37:25 | Re: BUG #14350: VIEW with INSTEAD OF INSERT TRIGGER and COPY. Missing feature or working as designed. |
| Previous Message | Michael Paquier | 2016-10-04 07:15:23 | Re: PATCH: Batch/pipelining support for libpq |