2016-10-04 9:18 GMT+02:00 Gilles Darold <gilles.dar...@dalibo.com>: > Le 03/10/2016 à 23:23, Gilles Darold a écrit : > > Le 03/10/2016 à 23:03, Robert Haas a écrit : > >> On Mon, Oct 3, 2016 at 3:54 PM, Gilles Darold <gil...@darold.net> > wrote: > >>> 4) An other problem is that like this this patch will allow anyone to > upload into a > >>> column the content of any system file that can be read by postgres > system user > >>> and then allow non system user to read its content. > >> I thought this was a client-side feature, so that it would let a > >> client upload any file that the client can read, but not things that > >> can only be read by the postgres system user. > >> > > Yes that's right, sorry for the noise, forget this fourth report. > > > > After some more though there is still a security issue here. For a > PostgreSQL user who also have login acces to the server, it is possible > to read any file that the postgres system user can read, especially a > .pgpass or a recovery.conf containing password. >
This patch doesn't introduce any new server side functionality, so if there is some vulnerability, then it is exists now too. Regards Pavel > > > -- > Gilles Darold > Consultant PostgreSQL > http://dalibo.com - http://dalibo.org > > > > -- > Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) > To make changes to your subscription: > http://www.postgresql.org/mailpref/pgsql-hackers >
