Re: Including PL/PgSQL by default
| От | Josh Berkus |
|---|---|
| Тема | Re: Including PL/PgSQL by default |
| Дата | |
| Msg-id | 200802210954.15159.josh@agliodbs.com обсуждение исходный текст |
| Ответ на | Re: Including PL/PgSQL by default ("Greg Sabino Mullane" <greg@turnstep.com>) |
| Список | pgsql-hackers |
Tom, > > I grow weary of repeating this: it's not about resource consumption, nor > > about potential security holes in plpgsql itself. It's about handing > > attackers the capability to further exploit *other* security holes. > > Well, without specific examples, I'm not sure I understand what plpgsql > buys you that you could not do other ways (e.g. generate_series() for > looping). I have to agree with Greg here: I don't see what significant new security issues PL/pgSQL opens up. Certainly including PL/perl or PL/sh would, but PL/pgSQL? One of the reasons we advertise to use PostgreSQL is our ability to do sophisticated backend database things, which other OSDBs don't have. I agree that there should be some way to disable PL/pgSQL for "locked down" installations, but I think the majority of users want it to just be there. -- Josh Berkus PostgreSQL @ Sun San Francisco
В списке pgsql-hackers по дате отправления: