Re: [GENERAL] Security implications of (plpgsql) functions

Tom Lane <tgl@sss.pgh.pa.us>

From: Tom Lane <tgl@sss.pgh.pa.us>
To: Joe Conway <mail@joeconway.com>
Cc: Bruce Momjian <pgman@candle.pha.pa.us>, Marcin Owsiany <marcin@owsiany.pl>, PostgreSQL-development <pgsql-hackers@postgresql.org>
Date: 2002-10-21T16:44:41Z
Lists: pgsql-hackers, pgsql-general
Joe Conway <mail@joeconway.com> writes:
> Is there any way to recognize infinite recursion by analyzing the saved 
> execution tree -- i.e. can we assume that a function that calls itself, with 
> the same arguments with which it was called, constitutes infinite recursion?

A bulletproof solution would be equivalent to solving the halting
problem, I believe.  The test you mentioned is easily defeated by
recursing between two functions.  Also, a would-be instigator of
DOS doesn't need *infinite* recursion; it could be quite finite and
still blow out your stack.  For example ask for factorial(10million)
where factorial is defined in the traditional recursive way...

			regards, tom lane