Re: Feature request: include script file into function body - Mailing list pgsql-bugs

From Gary Doades
Subject Re: Feature request: include script file into function body
Date
Msg-id 4D485718.6010402@gpdnet.co.uk
Whole thread Raw
In response to Re: Feature request: include script file into function body  (Steve White <swhite@aip.de>)
List pgsql-bugs
On 01/02/2011 6:50 PM, Steve White wrote:
> Hi again, all,
>
> OK I think I now know what the misunderstanding is.
>
>> [Please don't top-post.  Rearranged for clarity.]
>>
>> Steve White<swhite@aip.de>  wrote:
>>> On  1.02.11, Tom Lane wrote:
>>>> Steve White<swhite@aip.de>  writes:
>>>>> It would be really nice to have a way to load script (especially
>>>>> Python and Perl) from a separate file into a function body.
>>>> This seems like a security hole, ie, you could use it to read any
>>>> file the backend has access to.
>>
>>> Isn't the \i command a similar security hole?
>>
>> That is run by a client program on a client machine.  If that is
>> what you had in mind, a modification to the CREATE FUNCTION syntax
>> is probably not the way to go.  Just to throw a hypothetical out
>> there, were you looking to effectively do a \i inside the string
>> literal which is the function body, picking up a *client-side* file?
>>
>> That has its own problems, of course, but I'm just trying to get us
>> onto the same page.
>>
>> -Kevin
>>
> I guess the "FROM filename" syntax wasn't a great choice, as it suggests
> something completely different from what I was otherwise describing.
> (In my own defense: I repeatedly qualified the syntax as a suggestion.)
>
> I *DO NOT MEAN* that a query should run about grabbing files off the
> server, or wherever.
>
> I meant something like the replacement that happens with the \i command
> in loading SQL, and under similar circumstances, except that somehow
> non-SQL code is loadad in a function body.
But functions *run* on the server, in the postgres server backend, so it
would have to grab files from the server, which is where the security
issue comes in.

The \i command *runs* on the client under your own account and reads
text into the *client*, not the server. The two things are completely
different and run in completely different places.

Cheers,
Gary.

pgsql-bugs by date:

Previous
From: "Kevin Grittner"
Date:
Subject: Re: Feature request: include script file into function body
Next
From: Tom Lane
Date:
Subject: Re: Feature request: include script file into function body