On Sun, Mar 27, 2022 at 2:02 PM Robert Haas <robertmh...@gmail.com> wrote: > On Sun, Mar 27, 2022 at 4:26 PM Peter Geoghegan <p...@bowt.ie> wrote: > > We're not dealing > > with adversarial page images here. > > I think it's bad that we have to make that assumption, considering > that there's nothing whatever to keep users from supplying arbitrary > page images to pageinspect.
Maybe it isn't strictly necessary for bt_page_items(), but making that level of guarantee is really hard, and not particularly useful. And that's the easy case for pageinspect: gist_page_items() takes a raw bytea, and puts it through the underlying types output functions. I think that it might actually be fundamentally impossible to guarantee that that'll be safe, because we have no idea what the output function might be doing. It's arbitrary user-defined code that could easily be implemented in C. Combined with an arbitrary page image. > But I also agree that if we're unable or > unwilling to make things perfect, it's still good to make them better. I think that most of the functions can approach being perfectly robust, with a little work. In practical terms they can almost certainly be made so robust that no real user of bt_page_items() will ever crash the server. Somebody that goes out of their way to do that *might* find a way (even with the easier cases), but that doesn't particularly concern me. -- Peter Geoghegan
