On 07/28/2011 06:28 PM, Chris Travers wrote:
On Thu, Jul 28, 2011 at 8:08 AM, David Johnston<polobo@xxxxxxxxx> wrote:
At best, based upon the example using "current_timestamp()", you could only
mark it as being stable, right?
Also not mentioned; what risk is there of this function being hacked? It
places the supplied data within a "SELECT (....) AS column_alias" structure
so it seems to be pretty safe but can you devise a string that would, say,
delete data or something similar. I would expect the following: '1); DELETE
FROM table; SELECT (2' to be dangerous. What functions would you use to
make the input string safe? Does "quote_literal()" plug this hole?
I don't think the hole can be plugged. The point of the function is
to execute arbitrary sql code. That means doing SQL injection
purposely in the function. I don't think there is a way around it
because SQL injection is specifically what is desired,
Best Wishes,
Chris Travers
On one hand the hole can't be plugged because as you mentioned that is
the point of the function. On the other hand, if the function is not
being run as security definer, the account running it would need to have
the rights to do whatever he is injecting. If "1); delete..." would
work, then the user could just as easily do Delete... without using the
function.
The only problem that I see (correct me if I'm wrong) is anonymous
injection through a user that has rights that we wouldn't want the
actual user to have, which is not recommended in any case.
Sim
--
Sent via pgsql-general mailing list (pgsql-general@xxxxxxxxxxxxxx)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general
