Steve White wrote:
> Hi Kevin,
>
> On 1.02.11, Kevin Grittner wrote:
> > [Please don't top-post. Rearranged for clarity.]
> >
> As you like.
>
> > Steve White <swhite@aip.de> wrote:
> > > On 1.02.11, Tom Lane wrote:
> > >> Steve White <swhite@aip.de> writes:
> > >>> It would be really nice to have a way to load script (especially
> > >>> Python and Perl) from a separate file into a function body.
> > >>
> > >> This seems like a security hole, ie, you could use it to read any
> > >> file the backend has access to.
> >
> > > Isn't the \i command a similar security hole?
> >
> > That is run by a client program on a client machine.
>
> Sorry I don't understand this remark.
>
> Are you saying that \i is disabled to user postgres?
> Just tried: it isn't.
> Are you saying that as a normal user I can use \i to load a file that I
> don't normally have access to?
> Just tried: nope -- permission denied.
>
> What scenario do you have in mind?
\i is a psql client command, not something the backend runs.
--
Bruce Momjian <bruce@momjian.us> http://momjian.us
EnterpriseDB http://enterprisedb.com
+ It's impossible for everything to be true. +
