As of PG 8.3, libpq allows a conninfo string to be passed in via the
dbName parameter of PQsetdbLogin. This is to allow access to conninfo
facilities in old programs that are still using PQsetdbLogin (including
most of our own standard clients ... ahem). For instance
psql "service = foo"
Andrew Dunstan pointed out a possible security hole in this: it will
allow people to do
psql "dbname = mydb password = mypassword"
which would leave their password exposed on the program's command line.
While we cannot absolutely prevent client apps from doing stupid things,
it seems like it might be a good idea to prevent passwords from being
passed in through dbName. The attached patch (which depends on some
pretty-recent changes in CVS HEAD) accomplishes this.
Anybody think this is good, bad, or silly? Does the issue need
explicit documentation, and if so where and how?
regards, tom lane
pgsql-patches by date
|Next:||From: Joshua D. Drake||Date: 2007-12-11 03:00:09|
|Subject: Re: Proposed patch to disallow password=foo in database
|Previous:||From: Tom Lane||Date: 2007-12-11 01:50:35|
|Subject: Re: pgbench - startup delay |