On 01/02/2011 6:50 PM, Steve White wrote:
Hi again, all,
OK I think I now know what the misunderstanding is.
[Please don't top-post. Rearranged for clarity.]
Steve White<swh...@aip.de> wrote:
On 1.02.11, Tom Lane wrote:
Steve White<swh...@aip.de> writes:
It would be really nice to have a way to load script (especially
Python and Perl) from a separate file into a function body.
This seems like a security hole, ie, you could use it to read any
file the backend has access to.
Isn't the \i command a similar security hole?
That is run by a client program on a client machine. If that is
what you had in mind, a modification to the CREATE FUNCTION syntax
is probably not the way to go. Just to throw a hypothetical out
there, were you looking to effectively do a \i inside the string
literal which is the function body, picking up a *client-side* file?
That has its own problems, of course, but I'm just trying to get us
onto the same page.
-Kevin
I guess the "FROM filename" syntax wasn't a great choice, as it suggests
something completely different from what I was otherwise describing.
(In my own defense: I repeatedly qualified the syntax as a suggestion.)
I *DO NOT MEAN* that a query should run about grabbing files off the
server, or wherever.
I meant something like the replacement that happens with the \i command
in loading SQL, and under similar circumstances, except that somehow
non-SQL code is loadad in a function body.
But functions *run* on the server, in the postgres server backend, so it
would have to grab files from the server, which is where the security
issue comes in.
The \i command *runs* on the client under your own account and reads
text into the *client*, not the server. The two things are completely
different and run in completely different places.
Cheers,
Gary.
--
Sent via pgsql-bugs mailing list (pgsql-bugs@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-bugs
