Tom Lane <tgl@sss.pgh.pa.us> writes:
> What worries me is not so much this particular hole, which is easily
> plugged now that we know about it, as that it suggests that Python's
> idea of a restricted environment is considerably less restricted than
> we would like. Perhaps there are other facilities that need to be
> turned off as well?
Could be. FWIW, Zope (www.zope.org) allows for Python scripts, created
and managed through the web, that run in a "sandbox" with many of the
same restrictions as PG puts on untrusted languages--they actually
disallow regex matching so you can't hang the webserver thread with a
regex that backtracks forever. Might be worthhhile for the plpython
folks to take a look at Zope.
> The alternative we could consider is to mark plpython as untrusted for
> 7.2, until someone has time for a more complete review of possible
> security problems.
This sounds like a good idea to me.
-Doug
--
Let us cross over the river, and rest under the shade of the trees. --T. J. Jackson, 1863