Home > mailing lists

Re: Including PL/PgSQL by default - Mailing list pgsql-hackers

From	Tom Lane
Subject	Re: Including PL/PgSQL by default
Date	February 21, 2008 04:40:17
Msg-id	3057.1203572403@sss.pgh.pa.us Whole thread Raw
In response to	Re: Including PL/PgSQL by default ("Greg Sabino Mullane" <greg@turnstep.com>)
Responses	Re: Including PL/PgSQL by default ("Greg Sabino Mullane" <greg@turnstep.com>)
List	pgsql-hackers

Tree view

"Greg Sabino Mullane" <greg@turnstep.com> writes:
> I'm not sure I understand the security implications of turning plpgsql on:
> has there been some security concerns in the past? Does having access
> to plpgsql really faciliate an attacker that much above what they might
> already be capable of without it? It seems quite trivial to write a
> function in sql that ties up resources just as effectively as plpgsql.

I grow weary of repeating this: it's not about resource consumption, nor
about potential security holes in plpgsql itself.  It's about handing
attackers the capability to further exploit *other* security holes.
        regards, tom lane

pgsql-hackers by date:

From: ITAGAKI Takahiro
Date: 21 February 2008, 03:35:04
Subject: Re: ANALYZE to be ignored by VACUUM

From: Tom Lane
Date: 21 February 2008, 05:08:41
Subject: VARATT_EXTERNAL_GET_POINTER is not quite there yet

Re: Including PL/PgSQL by default - Mailing list pgsql-hackers

Previous

Next