Le 04/10/2016 à 17:29, Pavel Stehule a écrit : > > > 2016-10-04 9:18 GMT+02:00 Gilles Darold <gilles.dar...@dalibo.com > <mailto:gilles.dar...@dalibo.com>>: > > Le 03/10/2016 à 23:23, Gilles Darold a écrit : > > Le 03/10/2016 à 23:03, Robert Haas a écrit : > >> On Mon, Oct 3, 2016 at 3:54 PM, Gilles Darold > <gil...@darold.net <mailto:gil...@darold.net>> wrote: > >>> 4) An other problem is that like this this patch will allow > anyone to upload into a > >>> column the content of any system file that can be read by > postgres system user > >>> and then allow non system user to read its content. > >> I thought this was a client-side feature, so that it would let a > >> client upload any file that the client can read, but not things > that > >> can only be read by the postgres system user. > >> > > Yes that's right, sorry for the noise, forget this fourth report. > > > > After some more though there is still a security issue here. For a > PostgreSQL user who also have login acces to the server, it is > possible > to read any file that the postgres system user can read, especially a > .pgpass or a recovery.conf containing password. > > > This patch doesn't introduce any new server side functionality, so if > there is some vulnerability, then it is exists now too. >
It doesn't exists, that was my system user which have extended privilege. You can definitively forget the fouth point. -- Gilles Darold Consultant PostgreSQL http://dalibo.com - http://dalibo.org
