public inbox for [email protected]
help / color / mirror / Atom feedFrom: Thomas Hallgren <[email protected]>
To: Tom Lane <[email protected]>
Cc: Kris Jurka <[email protected]>
Cc: [email protected]
Cc: Alvaro Herrera <[email protected]>
Cc: [email protected]
Subject: Re: Re: [Pljava-dev] Should creating a new base type require superuser status?
Date: Sun, 03 Aug 2008 08:11:53 +0200
Message-ID: <[email protected]> (raw)
In-Reply-To: <[email protected]>
References: <[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
Tom Lane wrote:
>
>> This is a non-issue in PL/Java. An integer parameter is never passed by
>> reference and there's no way the PL/Java user can get direct access to
>> backend memory.
>>
>
> So what exactly does happen when the user deliberately specifies wrong
> typlen/typbyval/typalign info when creating a type based on PL/Java
> functions?
>
>
Everything is converted into instances of Java classes such as String,
byte[], etc.
>> I think that assumption is without ground. Java doesn't permit you to
>> access memory unless you use Java classes (java.nio stuff) that is
>> explicitly designed to do that and you need native code to set such
>> things up. A PL/Java user can not do that unless he is able to link in
>> other shared objects or dll's to the backend process.
>>
>
> PL/Java itself must be doing "unsafe" things in order to interface with
> PG at all. So what your argument really is is that you have managed to
> securely sandbox the user-written code you are calling. That might or
> might not be true, but I don't think that worrying about it is without
> foundation.
>
>
I would be presumptuous to claim that I provide the sandbox. All PL/Java
does is to provide the type mapping. The sandbox as such is implicit in
Java, much in the same way that it does it for web-browsers etc.
Regardless of that, I think there's some difference in expressing a
worry that might or might not have a foundation versus claiming that
there indeed must be a security hole a mile wide ;-)
- thomas
view thread (21+ messages) latest in thread
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected], [email protected], [email protected], [email protected], [email protected]
Subject: Re: Re: [Pljava-dev] Should creating a new base type require superuser status?
In-Reply-To: <[email protected]>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox