Re: Limiting the operations that client-side code can perform upon its database backend's artifacts
| От | Julien Rouhaud |
|---|---|
| Тема | Re: Limiting the operations that client-side code can perform upon its database backend's artifacts |
| Дата | |
| Msg-id | 20220927065858.ibrmzrrbefjq5o4l@jrouhaud обсуждение исходный текст |
| Ответ на | Limiting the operations that client-side code can perform upon its database backend's artifacts (Bryn Llewellyn <bryn@yugabyte.com>) |
| Ответы |
Re: Limiting the operations that client-side code can perform upon its database backend's artifacts
Re: Limiting the operations that client-side code can perform upon its database backend's artifacts |
| Список | pgsql-general |
On Mon, Sep 26, 2022 at 11:18:34AM -0700, Bryn Llewellyn wrote: > > My demo seems to show that when a program connects as "client", it can > perform exactly and only the database operations that the database design > specified. > > Am I missing something? In other words, can anybody show me a vulnerability? What exactly prevents the client role from inserting e.g. - 'robert''); drop table students; --' - millions of 'cat' rows - millions of 1GB-large rows or just keep sending massive invalid query texts to fill the logs, or just trying to connect until there's no available connection slots anymore, and then keep spamming the server thousands of time per second to try to open new connections, or ...?
В списке pgsql-general по дате отправления: