Skip site navigation (1) Skip section navigation (2)

Proposed patch to disallow password=foo in database name parameter

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: pgsql-patches(at)postgreSQL(dot)org
Cc: Andrew Dunstan <andrew(at)dunslane(dot)net>
Subject: Proposed patch to disallow password=foo in database name parameter
Date: 2007-12-11 02:56:42
Message-ID: 26840.1197341802@sss.pgh.pa.us (view raw or flat)
Thread:
Lists: pgsql-patches
As of PG 8.3, libpq allows a conninfo string to be passed in via the
dbName parameter of PQsetdbLogin.  This is to allow access to conninfo
facilities in old programs that are still using PQsetdbLogin (including
most of our own standard clients ... ahem).  For instance

	psql "service = foo"

Andrew Dunstan pointed out a possible security hole in this: it will
allow people to do

	psql "dbname = mydb password = mypassword"

which would leave their password exposed on the program's command line.

While we cannot absolutely prevent client apps from doing stupid things,
it seems like it might be a good idea to prevent passwords from being
passed in through dbName.  The attached patch (which depends on some
pretty-recent changes in CVS HEAD) accomplishes this.

Anybody think this is good, bad, or silly?  Does the issue need
explicit documentation, and if so where and how?

			regards, tom lane

Responses

pgsql-patches by date

Next:From: Joshua D. DrakeDate: 2007-12-11 03:00:09
Subject: Re: Proposed patch to disallow password=foo in database name parameter
Previous:From: Tom LaneDate: 2007-12-11 01:50:35
Subject: Re: pgbench - startup delay

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group