Re: [HACKERS] Possible TODO: allow arbitrary expressions in event trigger WHEN

[Robert Haas]

On Mon, Feb 13, 2017 at 10:34 PM, Tom Lane  wrote:
> Jim Nasby  writes:
>> Is there a reason not to allow $SUBJECT? Specifically, it'd be nice to
>> be able to do something like WHEN tag LIKE 'ALTER%'.
>
> Seems like it would be a seriously bad idea for such an expression to be
> able to invoke arbitrary SQL code.  What if it calls a user-defined
> function that tries to do DDL?

Yeah.  I remember thinking about this and deciding that allowing real
expressions there was totally intractable.  I don't remember what all
the reasons were, but what Tom's talking about may have been at least
part of it.

-- 
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company


-- 
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

Re: [HACKERS] Possible TODO: allow arbitrary expressions in event trigger WHEN

[Jim Nasby]

On 2/13/17 9:34 PM, Tom Lane wrote:

Jim Nasby  writes:

Is there a reason not to allow $SUBJECT? Specifically, it'd be nice to
be able to do something like WHEN tag LIKE 'ALTER%'.


Seems like it would be a seriously bad idea for such an expression to be
able to invoke arbitrary SQL code.  What if it calls a user-defined
function that tries to do DDL?


Hmm... could we temporarily mark the transaction as being read-only? 
Though, can't users already run arbitrary code inside the triggers 
themselves?


If we don't want arbitrary DDL there might be other stuff we'd 
presumably want to prevent. FDW access comes to mind. So maybe just 
restrict what nodes can appear in the expression. You'd want to allow 
operators in that list which still leaves a bit of a hole, but if you're 
going to take up chainsaw juggling you better know what you're doing...

--
Jim Nasby, Data Architect, Blue Treble Consulting, Austin TX
Experts in Analytics, Data Architecture and PostgreSQL
Data in Trouble? Get it in Treble! http://BlueTreble.com
855-TREBLE2 (855-873-2532)


--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

Re: [HACKERS] Possible TODO: allow arbitrary expressions in event trigger WHEN

[Tom Lane]

Jim Nasby  writes:
> Is there a reason not to allow $SUBJECT? Specifically, it'd be nice to 
> be able to do something like WHEN tag LIKE 'ALTER%'.

Seems like it would be a seriously bad idea for such an expression to be
able to invoke arbitrary SQL code.  What if it calls a user-defined
function that tries to do DDL?

regards, tom lane


-- 
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

[HACKERS] Possible TODO: allow arbitrary expressions in event trigger WHEN

[Jim Nasby]

Is there a reason not to allow $SUBJECT? Specifically, it'd be nice to 
be able to do something like WHEN tag LIKE 'ALTER%'.

--
Jim Nasby, Data Architect, Blue Treble Consulting, Austin TX
Experts in Analytics, Data Architecture and PostgreSQL
Data in Trouble? Get it in Treble! http://BlueTreble.com
855-TREBLE2 (855-873-2532)


--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers