LISTEN/NOTIFY Security and the docs

From: Chander Ganesan <chander(at)otg-nc(dot)com>
To: pgsql-hackers(at)postgresql(dot)org
Subject: LISTEN/NOTIFY Security and the docs
Date: 2012-05-18 15:08:05
Message-ID: 4FB665D5.5050102@otg-nc.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

Hi All,

I just realized that anyone can listen for notifications (using listen)
so long as they know the "channel" name. This means that a user could
receive and view the payload for another user.

Perhaps it would be good to note this in the documentation (i.e., there
should be no expectation of privacy/security when using listen/notify,
so any user that can connect to a database could issue and receive
notifications for any channel.)

thanks

--
Chander Ganesan
Open Technology Group, Inc.
11010 Lake Grove Blvd Ste. 100-307
Morrisville, NC 27560
919-463-0999/877-258-8987
http://www.otg-nc.com

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Jeff Janes 2012-05-18 16:23:11 Archiver not exiting upon crash
Previous Message Fujii Masao 2012-05-18 15:04:28 Re: Strange issues with 9.2 pg_basebackup & replication