Re: pl/pgsql enabled by default

Tom Lane <tgl@sss.pgh.pa.us>

From: Tom Lane <tgl@sss.pgh.pa.us>
To: Neil Conway <neilc@samurai.com>
Cc: Simon Riggs <simon@2ndquadrant.com>, Andrew Sullivan <ajs@crankycanuck.ca>, pgsql-hackers@postgresql.org
Date: 2005-05-07T15:38:40Z
Lists: pgsql-hackers
Neil Conway <neilc@samurai.com> writes:
> Users can already define SQL functions by default, which certainly 
> provides "programmable features". I'm not quite sure what you mean by 
> "user exits."

> I guess I'm missing how pl/pgsql is a fundamentally greater security risk.

plpgsql has control structures (loops, IF); SQL functions don't.
That makes for a fundamental difference in the power of the programming
language ... at least according to CS theory as I was taught it.  Now
admittedly the "primitive statements" of SQL are a lot more powerful
than the primitive statements usually considered in programming language
theory, but I think there is still a pretty significant difference in
capability.

An example of why this could be interesting from a security standpoint
is that, given access to pg_shadow, it'd be pretty trivial to write
a plpgsql function that tries to break user passwords by brute force
(just generate possible passwords, hash them, and look for a match).
I don't see any way to do that in plain SQL, at least not without a
pre-existing SRF to generate the trial passwords for you.

			regards, tom lane