Re: WIP patch: add (PRE|POST)PROCESSOR options to COPY
| От | Craig Ringer |
|---|---|
| Тема | Re: WIP patch: add (PRE|POST)PROCESSOR options to COPY |
| Дата | |
| Msg-id | 50A44D12.1010508@2ndQuadrant.com обсуждение исходный текст |
| Ответ на | Re: WIP patch: add (PRE|POST)PROCESSOR options to COPY (Tom Lane <tgl@sss.pgh.pa.us>) |
| Ответы |
Re: WIP patch: add (PRE|POST)PROCESSOR options to COPY
|
| Список | pgsql-hackers |
On 11/15/2012 12:46 AM, Tom Lane wrote:
>
> Agreed, and there's also the question of passing switches etc to the
> program, so the string can't be a bare file name anyway. I proposed
> pipe symbols (|) in the string previously, but if you find that too
> Unix-centric I suppose we could do
>
> COPY TABLE FROM PROGRAM 'command line';
> COPY TABLE TO PROGRAM 'command line';
I'd strongly prefer that from a security standpoint. I intensely dislike
the idea that COPY will change from a command that can at worst expose
data to a command that can execute programs. It means existing security
decisions in applications that use it must be re-evaluated ... and most
won't be. Also, it isn't too hard to check the command string for pipe
chars, but experience has taught over and over with SQL injection, shell
metacharacter exploits, XSS, etc that magic characters that you must
check for are a bad idea, and it's much better to have separate syntax
(like parameterized statements) rather than magic strings.
Additionally, the pipe design appears to presume the presence of a shell
and the desirability of using it. I don't think either assumption is
sensible.
Windows has a shell of sorts (cmd.exe) but its behaviour is different
with regards to quoting and it can be tricky to produce commands that
work under both a UNIX shell and cmd.exe .
More importantly, the shell provides fun opportunities for unexpected
side-effects via metacharacters, leading to undesired behaviour or even
exploits. It's IMO strongly preferable to use an argument vector and
direct execution, so the shell never gets involved.
How about:
COPY ... FROM PROGRAM '/bin/my_program', '$notavariable', '$(rm -rf
$HOME)';
or:
COPY ... FROM (PROGRAM '/bin/my_program', ARGUMENTS
('$notavariable', '$(rm -rf $HOME)') );
?
Something extensible would be good, as somebody is *inevitably* going to
ask "so how do I set environment variables before I call the command"
and "how do I control which return values are considered success".
--
Craig Ringer
>
> regards, tom lane
>
>
-- Craig Ringer http://www.2ndQuadrant.com/PostgreSQL Development, 24x7 Support, Training & Services
В списке pgsql-hackers по дате отправления: