Le mardi 1 juillet 2014 06:59:49 Albe Laurenz a écrit :
> Michael Paquier wrote:
>
> > After sleeping on it, I have put my hands on the postgres_fdw portion and
> > came up with a largelysimplified flow, resulting in the patch attached.
>
>
> [...]
>
>
> > Ronan, what do you think of those patches? I have nothing more to add, and
> > I think that they should belooked by a committer. Particularly the FDW
> > API that is perhaps not the best fit, but let's see some extra opinions
> > about that.
The remote_schema parameter can be used for SQL injection. Either we should go
back to using parameters, or be extra careful. Since the remote schema is
parsed as a name, it is limited to 64 characters which is not that useful for
an SQL injection, but still.
The new query as you wrote it returns the typname (was cast to regtype before)
This is not schema qualified, and will fail when importing tables with columns
from a type not in search_path.
The regression tests don't pass: a user name is hard-coded in the result of
DROP USER MAPPING. Should we expect the tests to be run as postgres ?
>
>
> I looked the the API and ist documentation, and while I saw no problem with
> the API,
> I think that the documentation still needs some attention:
>
> It mentions a "local_schema", which doesn't exist (any more?).
> It should be mentioned that the CreateForeignTableStmt's
> base.relation->schemaname should be set to NULL.
> Also, it would be nice to find a few words for "options",
> maybe explaining a potential application.
>
> Yours,
> Laurenz Albe
--
Ronan Dunklau
http://dalibo.com - http://dalibo.org
