Re: [HACKERS] Regarding GSoc Application - Mailing list pgsql-jdbc

From John R Pierce
Subject Re: [HACKERS] Regarding GSoc Application
Date
Msg-id 4F85183F.6070806@hogranch.com
Whole thread Raw
In response to Re: [HACKERS] Regarding GSoc Application  ("Atri Sharma" <atri.jiit@gmail.com>)
Responses Re: [HACKERS] Regarding GSoc Application
List pgsql-jdbc
On 04/10/12 9:36 PM, Atri Sharma wrote:
> Hi John,
>
> Yes,I agree,that can be done,but we had an extensive discussion on it
> yesterday and Andrew and Tom believe that would pose serious security issues
> as any malicious user can change the arguments sent to the SQL and cause
> problems.
>

I'm not sure what "change the arguments sent to SQL" means.   A
malicious user with sufficient privileges can do all sorts of damage,
and there's not much much you can do about it short of not letting
malicious users have privileges.

your foreign data wrapper code should probably require that the user who
creates a FDW connection to an external database have adequate
permissions.   the foreign database servr already has its own
authentication hoops tha this FDW user will have to provide.




--
john r pierce                            N 37, W 122
santa cruz ca                         mid-left coast


pgsql-jdbc by date:

Previous
From: "Atri Sharma"
Date:
Subject: Re: [HACKERS] Regarding GSoc Application
Next
From: "Atri Sharma"
Date:
Subject: Re: [HACKERS] Regarding GSoc Application