> the new EXECUTE command in PL/pgSQL is a security hole.
This actually depends but I must admit that I'm concerned too. However,
the responsibility for the results should be split adequately IMHO. DBAs
should take care about unathorized access to PGSQL server, that's why
pg_hba.conf is there. Programmers allowed in must make sure that only
relative paths or trusted directories are accessed (stripping out `../' and
prepending a pre-defined path is a must) Also, implementation of EXECUTE
should probably rely upon execle() with environment dropped to known secure
minimum.
Sorry if this all is already taken into consideration. Just want to second
Jan's statement.
--
ÌĤ¯Ç¤ÏÁͤòÊá¤é¤Ì
