| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Isaac Morland <isaac(dot)morland(at)gmail(dot)com> |
| Cc: | Tels <nospam-pg-abuse(at)bloodgate(dot)com>, Alvaro Herrera <alvherre(at)2ndquadrant(dot)com>, Marco van Eck <marco(dot)vaneck(at)gmail(dot)com>, PostgreSQL Hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Have an encrypted pgpass file |
| Date: | 2018-07-21 05:29:26 |
| Message-ID: | 6599.1532150966@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Isaac Morland <isaac(dot)morland(at)gmail(dot)com> writes:
>>> It would also provide a *very* fertile source of shell-script-injection
>>> vulnerabilities. (Whaddya mean, you tried to use a user name with a
>>> quote mark in it?)
> If I understand the proposal correctly, the pgpass program would run on the
> client, invoked by libpq when a password is needed for a connection. So the
> risk relates to strange things happening on the client when the client
> attempts to connect as a strangely-named user or to a strangely-named
> database or host, not to being able to break into the server.
Yeah. The most obvious scenario for trouble is that somebody enters
a crafted user name on a website, and that results in bad things happening
on an application-server machine that tried to pass that user name to
a database server. The DB server itself isn't compromised, but the app
server could be.
If we were putting this sort of feature into psql, it wouldn't be such
a risk, but if it's in libpq then I fear it is. libpq underlies a lot
of client-side code.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Sergei Kornilov | 2018-07-21 06:38:38 | Indicate anti-wraparound autovacuum in log_autovacuum_min_duration |
| Previous Message | Peter Geoghegan | 2018-07-21 03:16:25 | Re: small development tip: Consider using the gold linker |