| From: | Bruce Momjian <bruce(at)momjian(dot)us> |
|---|---|
| To: | Steve White <swhite(at)aip(dot)de> |
| Cc: | Kevin Grittner <Kevin(dot)Grittner(at)wicourts(dot)gov>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, pgsql-bugs(at)postgresql(dot)org |
| Subject: | Re: Feature request: include script file into function body |
| Date: | 2011-02-01 18:12:15 |
| Message-ID: | 201102011812.p11ICFx11142@momjian.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs |
Steve White wrote:
> Hi Kevin,
>
> On 1.02.11, Kevin Grittner wrote:
> > [Please don't top-post. Rearranged for clarity.]
> >
> As you like.
>
> > Steve White <swhite(at)aip(dot)de> wrote:
> > > On 1.02.11, Tom Lane wrote:
> > >> Steve White <swhite(at)aip(dot)de> writes:
> > >>> It would be really nice to have a way to load script (especially
> > >>> Python and Perl) from a separate file into a function body.
> > >>
> > >> This seems like a security hole, ie, you could use it to read any
> > >> file the backend has access to.
> >
> > > Isn't the \i command a similar security hole?
> >
> > That is run by a client program on a client machine.
>
> Sorry I don't understand this remark.
>
> Are you saying that \i is disabled to user postgres?
> Just tried: it isn't.
> Are you saying that as a normal user I can use \i to load a file that I
> don't normally have access to?
> Just tried: nope -- permission denied.
>
> What scenario do you have in mind?
\i is a psql client command, not something the backend runs.
--
Bruce Momjian <bruce(at)momjian(dot)us> http://momjian.us
EnterpriseDB http://enterprisedb.com
+ It's impossible for everything to be true. +
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2011-02-01 18:22:43 | Re: BUG #5859: XML result in line and column |
| Previous Message | Mike Fowler | 2011-02-01 18:05:46 | Re: BUG #5859: XML result in line and column |