Thread: lo_import does not check type before performing an import

lo_import does not check type before performing an import

From

pgsql-bugs@postgresql.org

Date:

21 April 2001, 00:08:39

Michael Richards (michael@fastmail.ca) reports a bug with a severity of 3
The lower the number the more severe it is.

Short Description
lo_import does not check type before performing an import

Long Description
lo_import within pgsql does not verify that it is reading from a file. You can import directories if you like and the
importeddata is a mess of ASCII. I didn't try it but I'm sure you could get into lots of trouble if you tried something
likelo_import('/dev/urandom') or some other device that you can read infinite amounts of data from. 

Sample Code
urdr=# insert into test values (lo_import('/home/miker/test'));
INSERT 6816303 1
urdr=# select * from test;
    t
---------
 6816289
(1 row)

> file /home/miker/test
/home/miker/test: directory


No file was uploaded with this report

Re: lo_import does not check type before performing an import

From

Tom Lane

Date:

21 April 2001, 01:53:33

pgsql-bugs@postgresql.org writes:
> lo_import within pgsql does not verify that it is reading from a file.

So we should prohibit reading from, eg, a named pipe?

Sorry, I don't agree.

            regards, tom lane