Andrew Dunstan <andrew.dunstan@2ndquadrant.com> writes:
> On Fri, Jan 10, 2020 at 1:21 AM Robert Haas <robertmhaas@gmail.com> wrote:
>> I share the concern about the security issue here. I can't testify to
>> whether Christoph's whole analysis is here, but as a general point,
>> non-superusers can't be allowed to do things that cause the server to
>> access arbitrary local files.
> It's probably fairly easy to do (c.f. 6136e94dcb). I'm not (yet)
> convinced that there is any significant security threat here. This
> doesn't give the user or indeed any postgres code any access to the
> contents of these files. But if there is a consensus to restrict this
> I'll do it.
Well, even without access to the file contents, the mere ability to
probe the existence of a file is something we don't want unprivileged
users to have. And (I suppose) this is enough for that, by looking
at what error you get back from trying it.
regards, tom lane