Re: eval function - Mailing list pgsql-general

From Merlin Moncure
Subject Re: eval function
Date
Msg-id CAHyXU0wOUm=XxWtpocumJMF4gHKjk0kru4JW07cDUTFKoYqTJA@mail.gmail.com
Whole thread Raw
In response to Re: eval function  ("David Johnston" <polobo@yahoo.com>)
Responses Re: eval function
List pgsql-general
On Thu, Jul 28, 2011 at 10:08 AM, David Johnston <polobo@yahoo.com> wrote:
>
> Merlin Moncure <mmoncure@gmail.com> writes:
>> Couple points:
>> *) why a special case for boolean values?
>
> That seemed weird to me too ...
>
>> *) this should be immutable
>
> What if the passed expression is volatile?  Better to be safe.
>
> ---------------------------------
>
> At best, based upon the example using "current_timestamp()", you could only
> mark it as being stable, right?
>
> Also not mentioned; what risk is there of this function being hacked?  It
> places the supplied data within a "SELECT  (....) AS column_alias" structure
> so it seems to be pretty safe but can you devise a string that would, say,
> delete data or something similar.  I would expect the following: '1); DELETE
> FROM table; SELECT (2' to be dangerous.  What functions would you use to
> make the input string safe?  Does "quote_literal()" plug this hole?

This function is an absolute no-go if the string literal is coming
from untrusted source, and any robust defenses would ruin the intended
effect of the function.  There are a number of nasty ways you can (at
minimum) DOS your database by allowing arbitrary sql.  For example,
using generate_series() and advisory_locks you can exhaust lock space.

merlin

pgsql-general by date:

Previous
From: "David Johnston"
Date:
Subject: Re: eval function
Next
From: Chris Travers
Date:
Subject: Re: eval function