Le 03/10/2016 à 23:23, Gilles Darold a écrit : > Le 03/10/2016 à 23:03, Robert Haas a écrit : >> On Mon, Oct 3, 2016 at 3:54 PM, Gilles Darold <gilles@darold.net> wrote: >>> 4) An other problem is that like this this patch will allow anyone to upload into a >>> column the content of any system file that can be read by postgres system user >>> and then allow non system user to read its content. >> I thought this was a client-side feature, so that it would let a >> client upload any file that the client can read, but not things that >> can only be read by the postgres system user. >> > Yes that's right, sorry for the noise, forget this fourth report. >
After some more though there is still a security issue here. For a PostgreSQL user who also have login acces to the server, it is possible to read any file that the postgres system user can read, especially a .pgpass or a recovery.conf containing password.
This patch doesn't introduce any new server side functionality, so if there is some vulnerability, then it is exists now too.
