Re: Restrict ALTER FUNCTION CALLED ON NULL INPUT (was Re: Not quite a security hole: CREATE LANGUAGE for non-superusers)
| От | Tom Lane |
|---|---|
| Тема | Re: Restrict ALTER FUNCTION CALLED ON NULL INPUT (was Re: Not quite a security hole: CREATE LANGUAGE for non-superusers) |
| Дата | |
| Msg-id | 20982.1339528406@sss.pgh.pa.us обсуждение |
| Ответ на | Re: Restrict ALTER FUNCTION CALLED ON NULL INPUT (was Re: Not quite a security hole: CREATE LANGUAGE for non-superusers) (Robert Haas <robertmhaas@gmail.com>) |
| Ответы |
Re: Restrict ALTER FUNCTION CALLED ON NULL INPUT
(was Re: Not quite a security hole: CREATE LANGUAGE for
non-superusers)
Re: Restrict ALTER FUNCTION CALLED ON NULL INPUT (was Re: Not quite a security hole: CREATE LANGUAGE for non-superusers) |
| Список | pgsql-hackers |
Robert Haas <robertmhaas@gmail.com> writes:
> On Tue, Jun 12, 2012 at 11:31 AM, Noah Misch <noah@leadboat.com> wrote:
>>> This seems bizarre and largely unnecessary. �As you stated to begin
>>> with, granting ownership of a function implies some degree of trust.
>> Yes, but I would never expect that level of trust to include access to crash
>> the server as a consequence of the function's reliance on STRICT.
> +1. Crashes are bad.
C functions, by definition, carry a risk of crashing the server.
I cannot fathom the reasoning why we should consider that granting
ownership of one to an untrustworthy user is ever a good idea, let alone
something we promise to protect you from any bad consequences of.
Even if I accepted that premise, this patch is a pretty bad
implementation of it, because it restricts cases that there is no
reason to think are unsafe.
A less bizarre and considerably more future-proof restriction, IMO,
would simply refuse any attempt to give ownership of a C function
to a non-superuser.
regards, tom lane
В списке pgsql-hackers по дате отправления: