Robert Haas <robertmh...@gmail.com> writes: > On Thu, Nov 9, 2017 at 12:58 PM, Andres Freund <and...@anarazel.de> wrote: >> You can already pass arbitrary byteas to heap_page_items(), so I don't >> see how this'd change anything exposure-wise? Or are you thinking that >> users would continually do this with actual page contents and would be >> more likely to hit edge cases than if using pg_read_binary_file() or >> such (which obviously sees an out of date page)?
> More the latter. It's not really an increase in terms of security > exposure, but it might lead to more trouble in practice. If we do this, I'd suggest exposing it as a separate SQL function get_raw_page_unlocked() rather than as an option to get_raw_page(). The reasoning is that if we ever allow these functions to be controlled via GRANT instead of hardwired superuser checks (cf nearby debate about lo_import/lo_export), one might reasonably consider the unlocked form as more risky than the locked form, and hence not wish to have to give out privileges to both at once. regards, tom lane -- Sent via pgsql-hackers mailing list (firstname.lastname@example.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers