lo_import does not check type before performing an import

Started by PostgreSQL Bugs Listalmost 25 years ago2 messagesbugs

pgsql-bugs@postgresql.org

almost 25 years ago

Michael Richards (michael@fastmail.ca) reports a bug with a severity of 3
The lower the number the more severe it is.

Short Description
lo_import does not check type before performing an import

Long Description
lo_import within pgsql does not verify that it is reading from a file. You can import directories if you like and the imported data is a mess of ASCII. I didn't try it but I'm sure you could get into lots of trouble if you tried something like lo_import('/dev/urandom') or some other device that you can read infinite amounts of data from.

Sample Code
urdr=# insert into test values (lo_import('/home/miker/test'));
INSERT 6816303 1
urdr=# select * from test;
t
---------
6816289
(1 row)

file /home/miker/test

/home/miker/test: directory

No file was uploaded with this report

Tom Lane

tgl@sss.pgh.pa.us

almost 25 years ago

In reply to: PostgreSQL Bugs List (#1)

Re: lo_import does not check type before performing an import

pgsql-bugs@postgresql.org writes:

lo_import within pgsql does not verify that it is reading from a file.

So we should prohibit reading from, eg, a named pipe?

Sorry, I don't agree.

regards, tom lane