"David G. Johnston" writes:
> On Sun, Dec 20, 2020 at 11:07 AM Tom Lane wrote:
>> If we could draw a line between "safe" and "unsafe" environment
>> variables, I'd be willing to consider a patch that allows directly
>> setting only the former. But I don't see how to draw that line.
> Because if
On Sun, Dec 20, 2020 at 11:07 AM Tom Lane wrote:
> If we could draw a line between "safe" and "unsafe" environment
> variables, I'd be willing to consider a patch that allows directly
> setting only the former. But I don't see how to draw that line.
>
>
IIUC the threat here is for users that wri
On Sun, Dec 20, 2020 at 10:42:40PM +0200, Heikki Linnakangas wrote:
> On 20/12/2020 21:05, David Fetter wrote:
> > We have plenty of ways to spawn shells and cause havoc, and we
> > wouldn't be able to block them all even if we decided to put a bunch
> > of pretty onerous restrictions on psql at th
On 20/12/2020 21:05, David Fetter wrote:
We have plenty of ways to spawn shells and cause havoc, and we
wouldn't be able to block them all even if we decided to put a bunch
of pretty onerous restrictions on psql at this very late date. We have
\set, backticks, \!, and bunches of things less obvio
On Sun, Dec 20, 2020 at 01:07:12PM -0500, Tom Lane wrote:
> David Fetter writes:
> > On Sun, Dec 20, 2020 at 02:26:14PM +0100, Fabien COELHO wrote:
> >> SELECT 'Calvin' AS foo \gset
> >> \setenv FOO :foo
> >> \! echo $FOO
> >> Calvin
>
> > You're the second person who's mentioned this workaround,
David Fetter writes:
> On Sun, Dec 20, 2020 at 02:26:14PM +0100, Fabien COELHO wrote:
>> SELECT 'Calvin' AS foo \gset
>> \setenv FOO :foo
>> \! echo $FOO
>> Calvin
> You're the second person who's mentioned this workaround, which goes
> to a couple of points I tried to make earlier:
> - This is
On Sun, Dec 20, 2020 at 02:26:14PM +0100, Fabien COELHO wrote:
> Hello David,
>
> > We have \gset to set some parameters, but not ones in the environment,
> > so I fixed this with a new analogous command, \gsetenv. I considered
> > refactoring SetVariable to include environment variables, but for
Hello David,
We have \gset to set some parameters, but not ones in the environment,
so I fixed this with a new analogous command, \gsetenv. I considered
refactoring SetVariable to include environment variables, but for a
first cut, I just made a separate function and an extra if.
My 0.02€: IS
On 12/16/20 10:54 PM, David Fetter wrote:
>
>> Besides which, you haven't bothered with even one word of positive
>> justification. What's the non-hazardous use case?
> Thanks for asking, and my apologies for not including it.
>
> I ran into a situation where we sometimes got a very heavily load
On Wed, Dec 16, 2020 at 05:30:13PM -0500, Tom Lane wrote:
> David Fetter writes:
> > We have \gset to set some parameters, but not ones in the environment,
> > so I fixed this with a new analogous command, \gsetenv.
>
> In view of the security complaints we just had about \gset
> (CVE-2020-25696)
David Fetter writes:
> We have \gset to set some parameters, but not ones in the environment,
> so I fixed this with a new analogous command, \gsetenv.
In view of the security complaints we just had about \gset
(CVE-2020-25696), I cannot fathom why we'd consider adding another
way to cause simila
11 matches
Mail list logo