Le mardi 1 juillet 2014 06:59:49 Albe Laurenz a écrit : > Michael Paquier wrote: > > > After sleeping on it, I have put my hands on the postgres_fdw portion and > > came up with a largely simplified flow, resulting in the patch attached. > > > [...] > > > > Ronan, what do you think of those patches? I have nothing more to add, and > > I think that they should be looked by a committer. Particularly the FDW > > API that is perhaps not the best fit, but let's see some extra opinions > > about that.
The remote_schema parameter can be used for SQL injection. Either we should go back to using parameters, or be extra careful. Since the remote schema is parsed as a name, it is limited to 64 characters which is not that useful for an SQL injection, but still. The new query as you wrote it returns the typname (was cast to regtype before) This is not schema qualified, and will fail when importing tables with columns from a type not in search_path. The regression tests don't pass: a user name is hard-coded in the result of DROP USER MAPPING. Should we expect the tests to be run as postgres ? > > > I looked the the API and ist documentation, and while I saw no problem with > the API, > I think that the documentation still needs some attention: > > It mentions a "local_schema", which doesn't exist (any more?). > It should be mentioned that the CreateForeignTableStmt's > base.relation->schemaname should be set to NULL. > Also, it would be nice to find a few words for "options", > maybe explaining a potential application. > > Yours, > Laurenz Albe -- Ronan Dunklau http://dalibo.com - http://dalibo.org
signature.asc
Description: This is a digitally signed message part.
