Re: Possible major bug in PlPython (plus some other ideas)

Tom Lane <tgl@sss.pgh.pa.us> writes:

> What worries me is not so much this particular hole, which is easily
> plugged now that we know about it, as that it suggests that Python's
> idea of a restricted environment is considerably less restricted than
> we would like.  Perhaps there are other facilities that need to be
> turned off as well?

Could be.  FWIW, Zope (www.zope.org) allows for Python scripts, created 
and managed through the web, that run in a "sandbox" with many of the
same restrictions as PG puts on untrusted languages--they actually
disallow regex matching so you can't hang the webserver thread with a
regex that backtracks forever.  Might be worthhhile for the plpython
folks to take a look at Zope.

> The alternative we could consider is to mark plpython as untrusted for
> 7.2, until someone has time for a more complete review of possible
> security problems.

This sounds like a good idea to me.

-Doug
-- 
Let us cross over the river, and rest under the shade of the trees.  --T. J. Jackson, 1863