Tom Lane wrote:
> Bruce Momjian <pgman@candle.pha.pa.us> writes:
> > Andreas didn't ask for a full file API. I suggested it because we were
> > already going to have some of the functionality. If rename/unlink are
> > new problems, we can skip them and just add what Andreas needs right
> > now.
>
> Given the security worries that have been raised, and the fact that none
> of this functionality existed in the patch as it stood at feature-freeze
> time, I think there's more than sufficient reason to defer all the
> writing stuff to a future release cycle.
Agreed.
> I'd like to limit the functionality added now to just file-read and
> directory-list commands; and perhaps we ought to go back to limiting
Yes.
> them to work on the configured log output directory rather than being
> general purpose. If they are general purpose, I'm going to want them to
> take only absolute paths, which will make it harder to use them for
> fetching the logs. (Not impossible, since we could demand that the GUC
> variable holding the log directory be an absolute path, but maybe it's
> just better to stay away from the notion of a general file access API
> until we've thought harder about the security implications.)
Agreed it should be relative to the log directory, which may or not be
under PGDATA, and don't let them go up above it. Is there any downside
to allowing absolute reads as well because COPY can already read
absolute files.
--
Bruce Momjian | http://candle.pha.pa.us
pgman@candle.pha.pa.us | (610) 359-1001
+ If your life is a hard drive, | 13 Roberts Road
+ Christ can be your backup. | Newtown Square, Pennsylvania 19073