On 20/12/2020 21:05, David Fetter wrote:
> We have plenty of ways to spawn shells and cause havoc, and we
> wouldn't be able to block them all even if we decided to put a bunch
> of pretty onerous restrictions on psql at this very late date. We have
> \set, backticks, \!, and bunches of things less obvious that could,
> even without a compromised server, cause real mischief.
There is a big difference between having to trust the server or not.
Yeah, you could cause a lot of mischief if you let a user run arbitrary
psql scripts on your behalf. But that's no excuse for opening up a whole
another class of problems.
- Heikki