From: | "Joshua D(dot) Drake" <jd(at)commandprompt(dot)com> |
---|---|
To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
Cc: | pgsql-patches(at)postgresql(dot)org, Andrew Dunstan <andrew(at)dunslane(dot)net> |
Subject: | Re: Proposed patch to disallow password=foo in database name parameter |
Date: | 2007-12-11 03:00:09 |
Message-ID: | 475DFD39.9080100@commandprompt.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-patches |
Tom Lane wrote:
> As of PG 8.3, libpq allows a conninfo string to be passed in via the
> dbName parameter of PQsetdbLogin. This is to allow access to conninfo
> facilities in old programs that are still using PQsetdbLogin (including
> most of our own standard clients ... ahem). For instance
>
> psql "service = foo"
>
> Andrew Dunstan pointed out a possible security hole in this: it will
> allow people to do
>
> psql "dbname = mydb password = mypassword"
>
> which would leave their password exposed on the program's command line.
>
> While we cannot absolutely prevent client apps from doing stupid things,
> it seems like it might be a good idea to prevent passwords from being
> passed in through dbName. The attached patch (which depends on some
> pretty-recent changes in CVS HEAD) accomplishes this.
>
> Anybody think this is good, bad, or silly? Does the issue need
I didn't even know we could do that. I always use the shell variable
option instead. Does anyone actually use the facility?
> explicit documentation, and if so where and how?
I think it should just throw a syntax error, this isn't covered as an
ability in the man page. I doubt anyone is honestly using this that
isn't smart enough to just figure out it isn't supported.
Joshua D. Drake
From | Date | Subject | |
---|---|---|---|
Next Message | Tom Lane | 2007-12-11 03:08:05 | Re: Proposed patch to disallow password=foo in database name parameter |
Previous Message | Tom Lane | 2007-12-11 02:56:42 | Proposed patch to disallow password=foo in database name parameter |