Skip site navigation (1) Skip section navigation (2)

Re: Proposed patch to disallow password=foo in database name parameter

From: Magnus Hagander <magnus(at)hagander(dot)net>
To: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
Cc: Andrew Dunstan <andrew(at)dunslane(dot)net>, pgsql-patches(at)postgreSQL(dot)org,Stephen Frost <sfrost(at)snowman(dot)net>
Subject: Re: Proposed patch to disallow password=foo in database name parameter
Date: 2007-12-11 09:09:20
Message-ID: 20071211090920.GH31937@svr2.hagander.net (view raw or flat)
Thread:
Lists: pgsql-patches
On Mon, Dec 10, 2007 at 10:47:19PM -0500, Tom Lane wrote:
> Andrew Dunstan <andrew(at)dunslane(dot)net> writes:
> > Stephen Frost wrote:
> >> I'm going to have to vote 'silly' on this one.
> 
> > It's a matter of being consistent. If we think such a facility shouldn't 
> > be provided on security grounds, then we shouldn't allow it via a 
> > backdoor, ISTM.
> 
> Well, the problem with this approach is that libpq has no real means
> of knowing whether a string it's been passed was exposed on the command
> line or not.  dbName might be secure, and for that matter the conninfo
> string passed to PQconnectdb might be insecure.  Should we put in
> arbitrary restrictions on the basis of hypotheses about where these
> different arguments came from?
> 
> It's also worth noting that we haven't removed the PGPASSWORD
> environment variable, even though that's demonstrably insecure on some
> platforms.
> 
> I'm actually inclined to vote with Stephen that this is a silly change.
> I just put up the patch to show the best way of doing it if we're gonna
> do it ...

+1 on the silly.

If we want to prevent it for psql, we should actually prevent it *in* psql,
not in libpq. There are an infinite number of scenarios where it's
perfectly safe to put the password there... If we want to do it share, we
should add a function like PQSanitizeConnectionString() that will remove
it, that can be called from those client apps that may be exposing it.

There are also platforms that don't show the full commandline to other
users - or even other processes - that aren't affected, of course.

//Magnus

In response to

Responses

pgsql-patches by date

Next:From: Alvaro HerreraDate: 2007-12-11 12:22:46
Subject: Re: Proposed patch to disallow password=foo in databasename parameter
Previous:From: Dave PageDate: 2007-12-11 09:09:13
Subject: Re: pgbench - startup delay

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group