Re: plpgsql by default (was: Re: Remote administration contrib module)
| От | Andrew - Supernews |
|---|---|
| Тема | Re: plpgsql by default (was: Re: Remote administration contrib module) |
| Дата | |
| Msg-id | slrne3m8eo.2as.andrew+nonews@atlantis.supernews.net обсуждение исходный текст |
| Ответ на | Re: Remote administration contrib module (Peter Eisentraut <peter_e@gmx.net>) |
| Список | pgsql-hackers |
On 2006-04-11, Tom Lane <tgl@sss.pgh.pa.us> wrote: > Andrew - Supernews <andrew+nonews@supernews.com> writes: >> On 2006-04-10, Bruce Momjian <pgman@candle.pha.pa.us> wrote: >>>> [ security ] >>> It actually is the reason I have heard. > >> And it was duly debunked. > > That is the reasoning, and personally I agree with it. You don't leave > sharp objects sitting around if you have no need to have them out. > The availability of plpgsql or other PLs makes for a significant jump > in what a bad guy can do if he gets access to the database, Example please. Last time this was discussed, the claimed examples were things like running infinite loops as a resource exhaustion attack, which is pretty trivial to do in plain SQL functions or even in plain SQL without functions, and running things like brute-force attacks on password hashes (which also isn't hard using plain SQL functions). -- Andrew, Supernews http://www.supernews.com - individual and corporate NNTP services
В списке pgsql-hackers по дате отправления: