Ok. But again: There is a library mentioned and documented in the famous PostgreSQL book from Douglas & Douglas called pgcurl ( http://gborg.postgresql.org/project/pgcurl/ ). Where's this gone? Yours, S. 2009/5/20 Robert Haas <robertmh...@gmail.com>
> On Wed, May 20, 2009 at 6:34 AM, Stefan Keller <sfkel...@gmail.com> wrote: > > Questions: Don't see, why this would be a security issue: How could such > a > > function do any harm? large files? > > No, large files aren't the problem. The problem is that the > PostgreSQL server process may have rights to access things that the > user doesn't. For a simple case, imagine that PostgreSQL is behind a > firewall and the user is in front of the firewall, but there's a port > open to permit access to PostgreSQL. Now imagine that there is a web > server behind the firewall. The firewall blocks the user from > accessing the web server directly, but the user can ask PostgreSQL to > download the URLs for him. In that way, the user can bypass the > firewall. (Consider for example Andrew Chernow's company, which has > clients connecting to their database server from all over the > Internet...) > > ...Robert >
