On Mon, Oct 19, 2009 at 9:23 AM, Pavel Stehule <pavel.steh...@gmail.com> wrote: > 2009/10/19 Dave Page <dp...@pgadmin.org>: >> On Mon, Oct 19, 2009 at 8:54 AM, Pavel Stehule <pavel.steh...@gmail.com> >> wrote: >>> I dislike write access to app name guc for user too. It's not safe. >>> Maybe only super user can do it? >> >> That'll render it pretty useless, as most applications wouldn't then >> be able to set/reset it when it makes sense to do so. > > But application can do it simply via connection string, no? Mostly > applications has connection string in configuration, so I don't see > problem there. And if I would to allow access, then I could to wrap > setting to security definer function.
It will prevent an application changing the value before running a long operation which may warrant special identification. It will also prevent applications changing the setting if you're running through a pooler. > I see this as security hole. It allows special SQL injection. How so? -- Dave Page EnterpriseDB UK: http://www.enterprisedb.com -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
