Robert Haas <robertmh...@gmail.com> writes: > It's not just a question of whether it was meant to be SQL-callable -- > it's also a question of what arguments it was expecting to be called > with. At the very least, you can cause the server to core dump if you > pass something that isn't a valid pointer to a function that is > expecting a pointer, which is something a CSP very likely does not > want a customer to be able to do. I think, however, that there's every > possibility that you can create more havoc than that. You can > basically call a function that's expecting a pointer with a pointer to > anything you can find or guess the memory address of. Maybe that's not > enough control to cause anything worse than a server crash, but I sure > wouldn't bet on it. There's a lot of functions floating around, and if > none of them can be tricked into doing filesystem access today, well > someone might add a new one tomorrow.
[ shrug... ] So is your point that we shouldn't bother to do anything? I don't personally have a problem with leaving things where they stand in this area. However, if we're going to do something, I think at minimum it should involve blocking off everything we can identify as straightforward reproducible methods to get disk access. regards, tom lane