| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Andrew Dunstan <andrew(at)dunslane(dot)net> |
| Cc: | pgsql-patches(at)postgreSQL(dot)org, Stephen Frost <sfrost(at)snowman(dot)net> |
| Subject: | Re: Proposed patch to disallow password=foo in database name parameter |
| Date: | 2007-12-11 03:47:19 |
| Message-ID: | 27587.1197344839@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-patches |
Andrew Dunstan <andrew(at)dunslane(dot)net> writes:
> Stephen Frost wrote:
>> I'm going to have to vote 'silly' on this one.
> It's a matter of being consistent. If we think such a facility shouldn't
> be provided on security grounds, then we shouldn't allow it via a
> backdoor, ISTM.
Well, the problem with this approach is that libpq has no real means
of knowing whether a string it's been passed was exposed on the command
line or not. dbName might be secure, and for that matter the conninfo
string passed to PQconnectdb might be insecure. Should we put in
arbitrary restrictions on the basis of hypotheses about where these
different arguments came from?
It's also worth noting that we haven't removed the PGPASSWORD
environment variable, even though that's demonstrably insecure on some
platforms.
I'm actually inclined to vote with Stephen that this is a silly change.
I just put up the patch to show the best way of doing it if we're gonna
do it ...
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Magnus Hagander | 2007-12-11 09:00:22 | Re: buildenv.pl/buildenv.bat |
| Previous Message | Andrew Dunstan | 2007-12-11 03:33:43 | Re: Proposed patch to disallow password=foo in database name parameter |