Re: Proposed patch to disallow password=foo in database name parameter

Tom Lane wrote:
> As of PG 8.3, libpq allows a conninfo string to be passed in via the
> dbName parameter of PQsetdbLogin. This is to allow access to conninfo
> facilities in old programs that are still using PQsetdbLogin (including
> most of our own standard clients ... ahem). For instance
>
> psql "service = foo"
>
> Andrew Dunstan pointed out a possible security hole in this: it will
> allow people to do
>
> psql "dbname = mydb password = mypassword"
>
> which would leave their password exposed on the program's command line.
>
> While we cannot absolutely prevent client apps from doing stupid things,
> it seems like it might be a good idea to prevent passwords from being
> passed in through dbName. The attached patch (which depends on some
> pretty-recent changes in CVS HEAD) accomplishes this.
>
> Anybody think this is good, bad, or silly? Does the issue need

I didn't even know we could do that. I always use the shell variable
option instead. Does anyone actually use the facility?

> explicit documentation, and if so where and how?

I think it should just throw a syntax error, this isn't covered as an
ability in the man page. I doubt anyone is honestly using this that
isn't smart enough to just figure out it isn't supported.

Joshua D. Drake