Re: Fast-Path documentation
| От | Tom Lane |
|---|---|
| Тема | Re: Fast-Path documentation |
| Дата | |
| Msg-id | 25947.1046992767@sss.pgh.pa.us обсуждение исходный текст |
| Ответ на | Fast-Path documentation (Peter Eisentraut <peter_e@gmx.net>) |
| Список | pgsql-docs |
Peter Eisentraut <peter_e@gmx.net> writes: > The libpq documentation contains this: > """ > <productname>PostgreSQL</productname> provides a fast-path interface to > send function calls to the backend. This is a trapdoor into system > internals and can be a potential security hole. Most users will not need > this feature. > """ > Why and under what circumstances is this a security hole, and what is a > user to do about it? The security problem is that the frontend feeds raw internal-format data to the backend. While this is relatively harmless for datatypes with no internal structure, it'd be pretty easy to crash the backend by feeding in a misconstructed polygon, for example. There was some discussion of this in pgsql-interfaces awhile back, see http://archives.postgresql.org/pgsql-interfaces/2003-01/msg00000.php There are a bunch of other problems with the fast-path protocol; see comments in src/backend/tcop/fastpath.c. I consider redesigning it to be one of the "must do" topics for the long-threatened protocol revision. regards, tom lane
В списке pgsql-docs по дате отправления: