Le 03/10/2016 à 23:23, Gilles Darold a écrit : > Le 03/10/2016 à 23:03, Robert Haas a écrit : >> On Mon, Oct 3, 2016 at 3:54 PM, Gilles Darold <gilles@darold.net> wrote: >>> 4) An other problem is that like this this patch will allow anyone to upload into a >>> column the content of any system file that can be read by postgres system user >>> and then allow non system user to read its content. >> I thought this was a client-side feature, so that it would let a >> client upload any file that the client can read, but not things that >> can only be read by the postgres system user. >> > Yes that's right, sorry for the noise, forget this fourth report. >
After some more though there is still a security issue here. For a PostgreSQL user who also have login acces to the server, it is possible to read any file that the postgres system user can read, especially a .pgpass or a recovery.conf containing password.
This patch doesn't introduce any new server side functionality, so if there is some vulnerability, then it is exists now too.
It doesn't exists, that was my system user which have extended privilege. You can definitively forget the fouth point.