Gregory Stark <stark@enterprisedb.com> writes:
> "Tom Lane" <tgl@sss.pgh.pa.us> writes:
>> I made it reject all but latin letters, which is the same restriction
>> that's in place for timezone set filenames. That might be overly
>> strong, but we definitely have to forbid "." and "/" (and "\" on
>> Windows). Do we want to restrict it to letters, digits, underscore?
>> Or does it need to be weaker than that?
> What's the problem with "."?
../../../../etc/passwd
Possibly we could allow '.' as long as we forbade /, but the other
trouble with allowing . is that it encourages people to try to specify
the filetype suffix (as indeed Oleg was doing). I'd prefer to keep the
suffixes out of the SQL object definitions, with an eye to possibly
someday migrating all the configuration data inside the database.
There's a reasonable argument for restricting the names used for these
things in the SQL definitions to be valid SQL identifiers, so that that
will work nicely...
regards, tom lane