On 2013-01-25 15:40:46 -0500, Tom Lane wrote:
> Andres Freund <andres@2ndquadrant.com> writes:
> > quite possibly doesn't work if copied from here but for quicker viewing:
>
> > CREATE OR REPLACE FUNCTION "foo():
> > pass
>
> > import os
> > os._exit(1)
> > def "() RETURNS void LANGUAGE plpythonu AS $$pass$$;
>
> > Yep:
> > LOG: server process (PID 29317) exited with exit code 1
>
> Ooops. Good thing plpython is already superuser-only, or this would be
> a security problem. So should we stop including the SQL function name
> in the python name?
I don't think it's worth it and having something recognizable in there
is useful in (python) backtraces.
I am pretty sure I could do the same in the function source with some
trickery even without the function being executed just because python
also executes stuff during parsing, so I don't think it would buy
enough.
We probably should care about it if there were a trusted plpython (so
you couldn't cause an incomplete function being called or whatever) but
I don't see that happening anytime soon.
Greetings,
Andres Freund
--
Andres Freund http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Training & Services
