Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1tfCRJ-000Ozc-3O for pgsql-hackers@arkaria.postgresql.org; Tue, 04 Feb 2025 06:29:42 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1tfCRI-001lv1-5I for pgsql-hackers@arkaria.postgresql.org; Tue, 04 Feb 2025 06:29:40 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1tfCRH-001luj-34 for pgsql-hackers@lists.postgresql.org; Tue, 04 Feb 2025 06:29:39 +0000 Received: from mail.clear-code.com ([153.126.203.179]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1tfCRC-0034cl-2i for pgsql-hackers@postgresql.org; Tue, 04 Feb 2025 06:29:37 +0000 Received: from localhost (unknown [IPv6:2404:7a80:9f01:f500:af1b:fa00:91d6:aaa9]) by mail.clear-code.com (Postfix) with ESMTPSA id 700E5561D2D; Tue, 4 Feb 2025 15:29:29 +0900 (JST) DKIM-Filter: OpenDKIM Filter v2.11.0 mail.clear-code.com 700E5561D2D DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=clear-code.com; s=default; t=1738650569; bh=6CHTPyAKHmGBJvJwcOho+aZG+2TsDpKvtasBxBCT4Q0=; h=Date:To:Cc:Subject:From:In-Reply-To:References:From; b=NZVMyEkW2w96f0QU3XKfIuF6guV+w4kFfZzml4iIJFIoviK8OvEXUDpJztd9tPuPh MFInDQ+UPrgQlrv6fCfmkVp56u50kPCjEwn85Xr9AK19lC3kAZB50CuNDqUdTclXt/ P22pIxZ32dqpy5dsYxWSPUnvlX0yE1Dw7lpkqmZI= Date: Tue, 04 Feb 2025 15:29:27 +0900 (JST) Message-Id: <20250204.152927.1922290693174479861.kou@clear-code.com> To: v.popolitov@postgrespro.ru Cc: sawada.mshk@gmail.com, zhjwpku@gmail.com, michael@paquier.xyz, pgsql-hackers@postgresql.org Subject: Re: Make COPY format extendable: Extract COPY TO format implementations From: Sutou Kouhei In-Reply-To: References: <20250201.191201.966818981739331450.kou@clear-code.com> X-Mailer: Mew version 6.8 on Emacs 29.4 Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Rspamd-Server: mail.clear-code.com X-Rspamd-Queue-Id: 700E5561D2D X-Rspamd-Action: no action X-Spamd-Result: default: False [2.90 / 999.00]; SUSPICIOUS_RECIPS(1.50)[]; MID_CONTAINS_FROM(1.00)[]; MV_CASE(0.50)[]; MIME_GOOD(-0.10)[text/plain]; RCVD_COUNT_ZERO(0.00)[0]; ASN(0.00)[asn:2518, ipnet:2404:7a80::/29, country:JP]; MIME_TRACE(0.00)[0:+]; TAGGED_RCPT(0.00)[]; ARC_NA(0.00)[]; FREEMAIL_ENVRCPT(0.00)[gmail.com]; TO_MATCH_ENVRCPT_ALL(0.00)[]; FROM_HAS_DN(0.00)[]; FREEMAIL_CC(0.00)[gmail.com,paquier.xyz,postgresql.org]; FROM_EQ_ENVFROM(0.00)[]; TO_DN_NONE(0.00)[]; RCPT_COUNT_FIVE(0.00)[5] List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk Hi, In "Re: Make COPY format extendable: Extract COPY TO format implementations" on Mon, 03 Feb 2025 13:38:04 +0700, Vladlen Popolitov wrote: > I would like to inform about the security breach in your design of > COPY TO/FROM. Thanks! I didn't notice it. > You use FORMAT option to add new formats, filling it with routine name > in shared library. As result any caller can call any routine in > PostgreSQL kernel. We require "FORMAT_NAME(internal)" signature: ---- funcargtypes[0] = INTERNALOID; handlerOid = LookupFuncName(list_make1(makeString(format)), 1, funcargtypes, true); ---- So any caller can call only routines that use the signature. Should we add more checks for security? If so, what checks are needed? For example, does requiring a prefix such as "copy_" (use "copy_json" for "json" format) improve security? For example, we need to register a handler explicitly (CREATE ACCESS METHOD) when we want to use a new access method. Should we require an explicit registration for custom COPY format too? > Standard PostgreSQL realisation for new methods to use USING > keyword. Every > new method could have own options (FORMAT is option of internal 'copy > from/to' > methods), Ah, I didn't think about USING. You suggest "COPY ... USING json" not "COPY ... FORMAT json" like "CREATE INDEX ... USING custom_index", right? It will work. If we use this interface, we should reject "COPY ... FORMAT ... USING" (both of FORMAT/USING are specified). > it assumes some SetOptions interface, that defines > an options structure according to the new method requirements. Sorry. I couldn't find the SetOptions interface in source code. I found only AT_SetOptions. Did you mean it by "some SetOptions interface"? I'm familiar with only access method. It has IndexAmRoutine::amoptions. Is it a SetOptions interface example? FYI: The current patch set doesn't have custom options support yet. Because we want to start from a minimal feature set. But we'll add support for custom options eventually. Thanks, -- kou