On Tue, Feb 9, 2016 at 3:26 PM, Stephen Frost <sfr...@snowman.net> wrote: > Arbitrary code execution is quite a different concern from the prior > concern regarding incomplete dumps.
I've had both concerns all along, and I think I've mentioned them before. > To the extent that untrusted code execution is an issue (and my > experience with environments which would deploy RLS tells me that it > isn't a practical concern), an option could be created which would cause > an error to be thrown on non-catalog RLS being run. There's a major release already in the wild that doesn't behave that way. And anyway I think that's missing the point: it's true that features that are turned off don't cause problems, but features that are turned on shouldn't break things either. > When it comes to multi-tenancy environments, as this thread is about, > chances are the only tables you can see are ones which you own or are > owned by a trusted user, which is why I don't view this as a pratical > concern, but I'm not against having a solution to address the issue > raised regarding arbitrary code execution, provided it doesn't create > more problems than it purports to solve. Well, I'm against accepting this patch without such a solution. -- Robert Haas EnterpriseDB: http://www.enterprisedb.com The Enterprise PostgreSQL Company -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
