Home > mailing lists

Re: Security hole in PL/pgSQL - Mailing list pgsql-hackers

From	Tom Lane
Subject	Re: Security hole in PL/pgSQL
Date	January 29, 2001 14:03:24
Msg-id	24638.980783821@sss.pgh.pa.us Whole thread Raw
In response to	Security hole in PL/pgSQL (Jan Wieck <janwieck@Yahoo.com>)
Responses	Re: Security hole in PL/pgSQL
List	pgsql-hackers

Tree view

Jan Wieck <janwieck@Yahoo.com> writes:
>     the  new  EXECUTE  command  in  PL/pgSQL  is a security hole.
>     PL/pgSQL is  a  trusted  procedural  language,  meaning  that
>     regular  users  can  write  code  in it. With the new EXECUTE
>     command, someone could read and write arbitrary  files  under
>     the postgres UNIX-userid using the COPY command.

Huh?  This would only be true if all operations inside plpgsql are
executed as superuser, which they are not.  Seems to me the existing
defense against non-superuser using COPY is sufficient.
        regards, tom lane

pgsql-hackers by date:

From: Tom Lane
Date: 29 January 2001, 13:03:46
Subject: Re: scan.l simplifications

From: Tom Lane
Date: 29 January 2001, 14:03:52
Subject: Re: [ANNOUNCE] PostgreSQL v7.1BETA4 Bundled and Available ...

Re: Security hole in PL/pgSQL - Mailing list pgsql-hackers

Previous

Next