"Magnus Hagander" <mha@sollentuna.net> writes:
> FYI, issue (1) applies to postgresql as well. It's fixed by
> http://archives.postgresql.org/pgsql-patches/2005-07/msg00529.php.
Note that the equivalent exploit in Postgres would require superuser
privilege (since it requires creating a C function). It's a bit hard
to see it as a credible "security threat" since you already have the
keys to the kingdom if superuser.
I'm not totally certain about the security model in MySQL --- do they
have a distinction between trusted and untrusted function languages?
The document only talks about "insert privilege on mysql.func" which
sounds like a one-level design...
regards, tom lane