On 11/16/2012 03:35 AM, Tom Lane wrote:
> The biggest problem this patch has had from the very beginning is
> overdesign, and this is more of the same. Let's please just define the
> feature as "popen, not fopen, the given string" and have done. You can
> put all the warning verbiage you want in the documentation. (But note
> that the server-side version would be superuser-only in any flavor of
> the feature.)
I concede that as server-side COPY is superuser-only already it doesn't
offer the same potential for attack that it otherwise would. If
applications take unchecked file system paths from users and feed them
into a superuser command they already have security problems.
I'd still be much happier to have COPY ... FROM PROGRAM - or something -
to clearly make the two different, for clarity as much as security.
-- Craig Ringer http://www.2ndQuadrant.com/PostgreSQL Development, 24x7 Support, Training & Services
