Thread: Re: [QUESTIONS] LArge object functions in the backend

Re: [QUESTIONS] LArge object functions in the backend

From
Peter T Mount
Date:
On 6 Feb 1998, Fedor Bezrukov wrote:
> Probably that's a silly question, but...
>
> There are functions 'lo_export'/'lo_import' embedded in the backend.
> They can be called from an SQL request like it is described in the
> User Manual.  But as they are executed from the server, not from the
> client, I get the resulting file (from lo_export) owned by the
> 'postgres' user and located on the server machine!  This is not at all
> what you need, and more, it is a security hole, using which you can
> peek at any data in the database and even destroy it.  Probably this
> is not the correct place for these functions (and it is even mentioned
> in the source :) ).  Probably these functions should be removed from
> the backend or at least restricted to use by the 'postgres' user only?

You do have a point here.

I think these functions are obsolete. Do we still need them? We have
examples on how to implement these properly from the client to server in
the source.

What does everyone else think?

--
Peter T Mount  petermount@earthling.net or pmount@maidast.demon.co.uk
Main Homepage: http://www.demon.co.uk/finder
Work Homepage: http://www.maidstone.gov.uk Work EMail: peter@maidstone.gov.uk