Re: Proposed patch to disallow password=foo in database name parameter

From: Andrew Dunstan <andrew(at)dunslane(dot)net>
To: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
Cc: pgsql-patches(at)postgreSQL(dot)org, Stephen Frost <sfrost(at)snowman(dot)net>
Subject: Re: Proposed patch to disallow password=foo in database name parameter
Date: 2007-12-11 13:58:05
Message-ID: 475E976D.1020005@dunslane.net
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-patches

Tom Lane wrote:
> It's also worth noting that we haven't removed the PGPASSWORD
> environment variable, even though that's demonstrably insecure on some
> platforms.
>

True. But at least its use is deprecated. The reason I put in PGPASSFILE
was to tempt (so far unsuccessfully) the maintainers of a certain well
known application to stop using PGPASSWORD.

> I'm actually inclined to vote with Stephen that this is a silly change.
> I just put up the patch to show the best way of doing it if we're gonna
> do it ...
>
>
>

OK. I'm not going to die in a ditch over it.

cheers

andrew

In response to

Responses

Browse pgsql-patches by date

  From Date Subject
Next Message Zdenek Kotala 2007-12-11 14:27:04 DOC: Wal update
Previous Message Heikki Linnakangas 2007-12-11 12:31:27 Re: Proposed patch to disallow password=foo in databasename parameter