Re: [HACKERS] Possible make_oidjoins_check Security Issue
Tom Lane <tgl@sss.pgh.pa.us>
From: Tom Lane <tgl@sss.pgh.pa.us>
To: Bruce Momjian <pgman@candle.pha.pa.us>
Cc: Neil Conway <neilc@samurai.com>, Rod Taylor <pg@rbt.ca>, PostgreSQL-patches <pgsql-patches@postgresql.org>
Date: 2004-11-03T23:34:19Z
Lists: pgsql-hackers
Bruce Momjian <pgman@candle.pha.pa.us> writes: >> I think Tom's fix adequately addresses the security concerns. Exactly >> what is wrong with writing to the current working directory? > Because it could be run from a directory where others have write > permission. In which case, they could also change the findoidjoins script itself. I think your fix is *less* secure than what you replaced. However, I've already wasted more than enough time on this issue... I'm done arguing about it. regards, tom lane