But again: There is a library mentioned and documented in the famous PostgreSQL book from Douglas & Douglas called pgcurl (http://gborg.postgresql.org/project/pgcurl/ ). Where's this gone?
On Wed, May 20, 2009 at 6:34 AM, Stefan Keller <sfkeller@gmail.com> wrote: > Questions: Don't see, why this would be a security issue: How could such a > function do any harm? large files?
No, large files aren't the problem. The problem is that the PostgreSQL server process may have rights to access things that the user doesn't. For a simple case, imagine that PostgreSQL is behind a firewall and the user is in front of the firewall, but there's a port open to permit access to PostgreSQL. Now imagine that there is a web server behind the firewall. The firewall blocks the user from accessing the web server directly, but the user can ask PostgreSQL to download the URLs for him. In that way, the user can bypass the firewall. (Consider for example Andrew Chernow's company, which has clients connecting to their database server from all over the Internet...)