diff options
| author | Tom Lane <tgl@sss.pgh.pa.us> | 2010-09-03 01:34:55 +0000 |
|---|---|---|
| committer | Tom Lane <tgl@sss.pgh.pa.us> | 2010-09-03 01:34:55 +0000 |
| commit | 303696c3b47e6719e983e93da5896ddc4a2e0dbb (patch) | |
| tree | 0cf979aeaf94f5f4c45948c3db78755d08dde5a6 /doc/src/sgml/func.sgml | |
| parent | 8ab6a6b4562efcd9f320353d5438fdbe10dbf9c5 (diff) | |
| download | postgresql-REL9_1_ALPHA1.tar.gz postgresql-REL9_1_ALPHA1.zip | |
Install a data-type-based solution for protecting pg_get_expr().REL9_1_ALPHA1
Since the code underlying pg_get_expr() is not secure against malformed
input, and can't practically be made so, we need to prevent miscreants
from feeding arbitrary data to it. We can do this securely by declaring
pg_get_expr() to take a new datatype "pg_node_tree" and declaring the
system catalog columns that hold nodeToString output to be of that type.
There is no way at SQL level to create a non-null value of type pg_node_tree.
Since the backend-internal operations that fill those catalog columns
operate below the SQL level, they are oblivious to the datatype relabeling
and don't need any changes.
Diffstat (limited to 'doc/src/sgml/func.sgml')
| -rw-r--r-- | doc/src/sgml/func.sgml | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/doc/src/sgml/func.sgml b/doc/src/sgml/func.sgml index 01fbd315b90..8d1015b9f8e 100644 --- a/doc/src/sgml/func.sgml +++ b/doc/src/sgml/func.sgml @@ -1,4 +1,4 @@ -<!-- $PostgreSQL: pgsql/doc/src/sgml/func.sgml,v 1.531 2010/09/01 18:22:29 tgl Exp $ --> +<!-- $PostgreSQL: pgsql/doc/src/sgml/func.sgml,v 1.532 2010/09/03 01:34:54 tgl Exp $ --> <chapter id="functions"> <title>Functions and Operators</title> @@ -12746,13 +12746,13 @@ SELECT pg_type_is_visible('myschema.widget'::regtype); <entry>get definition of a constraint</entry> </row> <row> - <entry><literal><function>pg_get_expr</function>(<parameter>expr_text</parameter>, <parameter>relation_oid</>)</literal></entry> + <entry><literal><function>pg_get_expr</function>(<parameter>pg_node_tree</parameter>, <parameter>relation_oid</>)</literal></entry> <entry><type>text</type></entry> <entry>decompile internal form of an expression, assuming that any Vars in it refer to the relation indicated by the second parameter</entry> </row> <row> - <entry><literal><function>pg_get_expr</function>(<parameter>expr_text</parameter>, <parameter>relation_oid</>, <parameter>pretty_bool</>)</literal></entry> + <entry><literal><function>pg_get_expr</function>(<parameter>pg_node_tree</parameter>, <parameter>relation_oid</>, <parameter>pretty_bool</>)</literal></entry> <entry><type>text</type></entry> <entry>decompile internal form of an expression, assuming that any Vars in it refer to the relation indicated by the second parameter</entry> |