Re: WIP patch: add (PRE|POST)PROCESSOR options to COPY

Craig Ringer <craig@2ndquadrant.com>

From: Craig Ringer <craig@2ndQuadrant.com>
To: Tom Lane <tgl@sss.pgh.pa.us>
Cc: Robert Haas <robertmhaas@gmail.com>, Simon Riggs <simon@2ndquadrant.com>, Fujii Masao <masao.fujii@gmail.com>, Etsuro Fujita <fujita.etsuro@lab.ntt.co.jp>, Craig Ringer <ringerc@ringerc.id.au>, pgsql-hackers@postgresql.org
Date: 2012-11-16T04:38:18Z
Lists: pgsql-hackers
On 11/16/2012 03:35 AM, Tom Lane wrote:

> The biggest problem this patch has had from the very beginning is
> overdesign, and this is more of the same. Let's please just define the
> feature as "popen, not fopen, the given string" and have done. You can
> put all the warning verbiage you want in the documentation. (But note
> that the server-side version would be superuser-only in any flavor of
> the feature.)

I concede that as server-side COPY is superuser-only already it doesn't
offer the same potential for attack that it otherwise would. If
applications take unchecked file system paths from users and feed them
into a superuser command they already have security problems.

I'd still be much happier to have COPY ... FROM PROGRAM - or something -
to clearly make the two different, for clarity as much as security.

-- 
 Craig Ringer                   http://www.2ndQuadrant.com/
 PostgreSQL Development, 24x7 Support, Training & Services