Re: [patch] fix dblink security hole

Marko Kreen escribió:
> Currently dblink allows regular users to initiate libpq connection
> to user-provided connection string.  This breaks the default
> policy that normal users should not be allowed to freely interact
> with outside environment.

Since people is now working on implementing the SQL/MED stuff to manage
connections, should we bounce this patch?  With luck, the CREATE
CONNECTION (?) stuff will be done for the next commitfest and we can
just switch dblink to use that instead.

http://archives.postgresql.org/message-id/e51f66da0809050539x1b25ebb9t7fd664fd67b9f607@mail.gmail.com

Thoughts?  Can we really expect SQL/MED connection mgmt to be done for
the next fest?

-- 
Alvaro Herrera                                http://www.CommandPrompt.com/
The PostgreSQL Company - Command Prompt, Inc.