Re: BUG #14600: Passwords in user mappings leaked by psql \deu+ command

From: Noah Misch <noah(at)leadboat(dot)com>
To: Feike Steenbergen <feikesteenbergen(at)gmail(dot)com>
Cc: andrew(dot)wheelwright(at)familysearch(dot)org, PostgreSQL mailing lists <pgsql-bugs(at)postgresql(dot)org>
Subject: Re: BUG #14600: Passwords in user mappings leaked by psql \deu+ command
Date: 2017-04-08 19:34:07
Message-ID: 20170408193407.GA2814157@tornado.leadboat.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-bugs

On Wed, Mar 29, 2017 at 04:54:03PM +0200, Feike Steenbergen wrote:
> > If a standard user logs into Alice using command line client, psql, and
> runs
> > the command \deu+, the password for both the standard_user and the
> > power_user will be visible in the displayed user mapping.
>
> \deu+ queries pg_catalog.pg_user_mappings, which itself is a view on top of
> pg_user_mapping.

Thanks for the report; the next back-branch releases will contain a fix.

In response to

Browse pgsql-bugs by date

  From Date Subject
Next Message mustafa husny 2017-04-09 22:05:38 manage connections
Previous Message Tom Lane 2017-04-07 16:19:19 Re: BUG #14614: Combination of UNION, EXCEPT and ORDER BY produces an error