Re: \gsetenv - Mailing list pgsql-hackers

From David Fetter
Subject Re: \gsetenv
Date
Msg-id 20201220233414.GG13234@fetter.org
Whole thread Raw
In response to Re: \gsetenv  (Heikki Linnakangas <hlinnaka@iki.fi>)
List pgsql-hackers
On Sun, Dec 20, 2020 at 10:42:40PM +0200, Heikki Linnakangas wrote:
> On 20/12/2020 21:05, David Fetter wrote:
> > We have plenty of ways to spawn shells and cause havoc, and we
> > wouldn't be able to block them all even if we decided to put a bunch
> > of pretty onerous restrictions on psql at this very late date. We have
> > \set, backticks, \!, and bunches of things less obvious that could,
> > even without a compromised server, cause real mischief.
> 
> There is a big difference between having to trust the server or not. Yeah,
> you could cause a lot of mischief if you let a user run arbitrary psql
> scripts on your behalf. But that's no excuse for opening up a whole another
> class of problems.

I'm skittish about putting exploits out in public in advance of
discussions about how to mitigate them, but I have constructed several
that do pretty bad things using only hostile content in a server and
the facilities `psql` already provides.

Best,
David.
-- 
David Fetter <david(at)fetter(dot)org> http://fetter.org/
Phone: +1 415 235 3778

Remember to vote!
Consider donating to Postgres: http://www.postgresql.org/about/donate



pgsql-hackers by date:

Previous
From: Andres Freund
Date:
Subject: Re: [PATCH] Logical decoding of TRUNCATE
Next
From: Peter Geoghegan
Date:
Subject: Re: [PATCH] Logical decoding of TRUNCATE