On Tue, Mar 02, 2010 at 07:33:47PM -0500, Andrew Dunstan wrote: > > There appears to be some significant misunderstanding of what can be > done effectively using the various *_init settings for plperl. > > In particular, some people have got an expectation that modules > loaded in plperl.on_init will thereby be available for use in > trusted plperl. > > I propose to add the following note to the docs: > > Preloading modules using plperl.on_init does not make them available > for use by plperl. External perl modules can only be used in plperlu. > > Comments?
Sounds good. FYI the maintainers of Safe are aware of (at least) two exploits which are being considered at the moment. You might want to soften the wording in http://developer.postgresql.org/pgdocs/postgres/plperl-trusted.html "There is no way to ..." is a stronger statement than can be justified. The docs for Safe http://search.cpan.org/~rgarcia/Safe-2.23/Safe.pm#WARNING say "The authors make no warranty, implied or otherwise, about the suitability of this software for safety or security purposes". Tim. -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
