Hi Pavel, On 1.02.11, Pavel Stehule wrote: > Hello > > 2011/2/1 Steve White <swh...@aip.de>: > > Hi Tom, > > > > This seems like a detail that is beside the point I'm making. > > But security is important, so let's think about it. > > > > PostgreSQL has an \i command, which loads the text from any readable file > > interpretes and executes it as further PostgreSQL commands. I'm proposing > > a similar mechanism that would load a file containing script language, and > > process it as though it were in the current funcition body. > > > > Isn't the \i command a similar security hole? > > if you ran psql under "postgres" account, then it is. > > I don't think, so your idea is good too. What about caching? Code of > stored procedures stays in session cache. Who will ensure, so your > cache is fresh? > Another good point that is beside the point I was making.
But OK we can discuss that too. I would think, it should work exactly as if the text had been textually included, the first time the function is compiled, exactly as the inline text is handled now. > Why you need a direct link to source files? > There are several reasons, a couple of which are mentioned in the discussion in the pgsql-general list. http://archives.postgresql.org/pgsql-general/2011-01/msg00870.php Cheers! > Regards > > Pavel Stehule > > > > > If somehow loading script text for a function is substantially different > > from loading it by \i, and if there is some problem, it seems to me that > > some simple restriction could solve it, such as restricting the directories > > from which such files can be read. But I'm just guessing here. > > > > I'll leave it to the security experts explicitly by amending my original > > proposal with this: > > > > " -- without doing anything stupid that would open a security hole." > > > > Cheers again! > > > > > > On 1.02.11, Tom Lane wrote: > >> Steve White <swh...@aip.de> writes: > >> > It would be really nice to have a way to load script (especially Python > >> > and Perl) from a separate file into a function body. > >> > >> This seems like a security hole, ie, you could use it to read any file > >> the backend has access to. > >> > >> regards, tom lane > >> > > > > -- > > | - - - - - - - - - - - - - - - - - - - - - - - - - > > | Steve White +49(331)7499-202 > > | E-Science Zi. 27 Villa Turbulenz > > | - - - - - - - - - - - - - - - - - - - - - - - - - > > | Astrophysikalisches Institut Potsdam (AIP) > > | An der Sternwarte 16, D-14482 Potsdam > > | > > | Vorstand: Prof. Dr. Matthias Steinmetz, Peter A. Stolz > > | > > | Stiftung privaten Rechts, Stiftungsverzeichnis Brandenburg: III/7-71-026 > > | - - - - - - - - - - - - - - - - - - - - - - - - - > > > > -- > > Sent via pgsql-bugs mailing list (pgsql-bugs@postgresql.org) > > To make changes to your subscription: > > http://www.postgresql.org/mailpref/pgsql-bugs > > > -- | - - - - - - - - - - - - - - - - - - - - - - - - - | Steve White +49(331)7499-202 | E-Science Zi. 27 Villa Turbulenz | - - - - - - - - - - - - - - - - - - - - - - - - - | Astrophysikalisches Institut Potsdam (AIP) | An der Sternwarte 16, D-14482 Potsdam | | Vorstand: Prof. Dr. Matthias Steinmetz, Peter A. Stolz | | Stiftung privaten Rechts, Stiftungsverzeichnis Brandenburg: III/7-71-026 | - - - - - - - - - - - - - - - - - - - - - - - - - -- Sent via pgsql-bugs mailing list (pgsql-bugs@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-bugs
