On Wed, Jun 9, 2010 at 1:34 PM, Tom Lane <tgl@sss.pgh.pa.us> wrote:
> Kris Jurka <books@ejurka.com> writes:
>> On Wed, 9 Jun 2010, Heikki Linnakangas wrote:
>>> Are you thinking we should retrict pg_get_expr() to superusers then?
>
>> That seems like it will cause problems for both pg_dump and drivers which
>> want to return metadata as pg_get_expr has been the recommended way of
>> fetching this information.
>
> Yes, it's not a trivial fix either. We'll have to provide functions or
> views that replace the current usages without letting the user insert
> untrusted strings.
Maybe I'm all wet here, but don't we need to come up with something we
can back-patch?
--
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise Postgres Company