Hello 2011/2/1 Steve White <swh...@aip.de>: > Hi Tom, > > This seems like a detail that is beside the point I'm making. > But security is important, so let's think about it. > > PostgreSQL has an \i command, which loads the text from any readable file > interpretes and executes it as further PostgreSQL commands. I'm proposing > a similar mechanism that would load a file containing script language, and > process it as though it were in the current funcition body. > > Isn't the \i command a similar security hole?
if you ran psql under "postgres" account, then it is. I don't think, so your idea is good too. What about caching? Code of stored procedures stays in session cache. Who will ensure, so your cache is fresh? Why you need a direct link to source files? Regards Pavel Stehule > > If somehow loading script text for a function is substantially different > from loading it by \i, and if there is some problem, it seems to me that > some simple restriction could solve it, such as restricting the directories > from which such files can be read. But I'm just guessing here. > > I'll leave it to the security experts explicitly by amending my original > proposal with this: > > " -- without doing anything stupid that would open a security hole." > > Cheers again! > > > On 1.02.11, Tom Lane wrote: >> Steve White <swh...@aip.de> writes: >> > It would be really nice to have a way to load script (especially Python >> > and Perl) from a separate file into a function body. >> >> This seems like a security hole, ie, you could use it to read any file >> the backend has access to. >> >> regards, tom lane >> > > -- > | - - - - - - - - - - - - - - - - - - - - - - - - - > | Steve White +49(331)7499-202 > | E-Science Zi. 27 Villa Turbulenz > | - - - - - - - - - - - - - - - - - - - - - - - - - > | Astrophysikalisches Institut Potsdam (AIP) > | An der Sternwarte 16, D-14482 Potsdam > | > | Vorstand: Prof. Dr. Matthias Steinmetz, Peter A. Stolz > | > | Stiftung privaten Rechts, Stiftungsverzeichnis Brandenburg: III/7-71-026 > | - - - - - - - - - - - - - - - - - - - - - - - - - > > -- > Sent via pgsql-bugs mailing list (pgsql-bugs@postgresql.org) > To make changes to your subscription: > http://www.postgresql.org/mailpref/pgsql-bugs > -- Sent via pgsql-bugs mailing list (pgsql-bugs@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-bugs
