Re: Feature request: include script file into function body
От | Steve White |
---|---|
Тема | Re: Feature request: include script file into function body |
Дата | |
Msg-id | 20110201173131.GA6707@cashmere.aip.de обсуждение исходный текст |
Ответ на | Re: Feature request: include script file into function body (Pavel Stehule <pavel.stehule@gmail.com>) |
Список | pgsql-bugs |
Hi Pavel, On 1.02.11, Pavel Stehule wrote: > Hello > > 2011/2/1 Steve White <swhite@aip.de>: > > Hi Tom, > > > > This seems like a detail that is beside the point I'm making. > > But security is important, so let's think about it. > > > > PostgreSQL has an \i command, which loads the text from any readable file > > interpretes and executes it as further PostgreSQL commands. I'm proposing > > a similar mechanism that would load a file containing script language, and > > process it as though it were in the current funcition body. > > > > Isn't the \i command a similar security hole? > > if you ran psql under "postgres" account, then it is. > > I don't think, so your idea is good too. What about caching? Code of > stored procedures stays in session cache. Who will ensure, so your > cache is fresh? > Another good point that is beside the point I was making. But OK we can discuss that too. I would think, it should work exactly as if the text had been textually included, the first time the function is compiled, exactly as the inline text is handled now. > Why you need a direct link to source files? > There are several reasons, a couple of which are mentioned in the discussion in the pgsql-general list. http://archives.postgresql.org/pgsql-general/2011-01/msg00870.php Cheers! > Regards > > Pavel Stehule > > > > > If somehow loading script text for a function is substantially different > > from loading it by \i, and if there is some problem, it seems to me that > > some simple restriction could solve it, such as restricting the directories > > from which such files can be read. But I'm just guessing here. > > > > I'll leave it to the security experts explicitly by amending my original > > proposal with this: > > > > " -- without doing anything stupid that would open a security hole." > > > > Cheers again! > > > > > > On 1.02.11, Tom Lane wrote: > >> Steve White <swhite@aip.de> writes: > >> > It would be really nice to have a way to load script (especially Python > >> > and Perl) from a separate file into a function body. > >> > >> This seems like a security hole, ie, you could use it to read any file > >> the backend has access to. > >> > >> regards, tom lane > >> > > > > -- > > | - - - - - - - - - - - - - - - - - - - - - - - - - > > | Steve White +49(331)7499-202 > > | E-Science Zi. 27 Villa Turbulenz > > | - - - - - - - - - - - - - - - - - - - - - - - - - > > | Astrophysikalisches Institut Potsdam (AIP) > > | An der Sternwarte 16, D-14482 Potsdam > > | > > | Vorstand: Prof. Dr. Matthias Steinmetz, Peter A. Stolz > > | > > | Stiftung privaten Rechts, Stiftungsverzeichnis Brandenburg: III/7-71-026 > > | - - - - - - - - - - - - - - - - - - - - - - - - - > > > > -- > > Sent via pgsql-bugs mailing list (pgsql-bugs@postgresql.org) > > To make changes to your subscription: > > http://www.postgresql.org/mailpref/pgsql-bugs > > > -- | - - - - - - - - - - - - - - - - - - - - - - - - - | Steve White +49(331)7499-202 | E-Science Zi. 27 Villa Turbulenz | - - - - - - - - - - - - - - - - - - - - - - - - - | Astrophysikalisches Institut Potsdam (AIP) | An der Sternwarte 16, D-14482 Potsdam | | Vorstand: Prof. Dr. Matthias Steinmetz, Peter A. Stolz | | Stiftung privaten Rechts, Stiftungsverzeichnis Brandenburg: III/7-71-026 | - - - - - - - - - - - - - - - - - - - - - - - - -
В списке pgsql-bugs по дате отправления:
Предыдущее
От: "Kevin Grittner"Дата:
Сообщение: Re: Feature request: include script file into function body
Следующее
От: Steve WhiteДата:
Сообщение: Re: Feature request: include script file into function body