From: | Petr Jelinek <petr(dot)jelinek(at)2ndquadrant(dot)com> |
---|---|
To: | Michael Paquier <michael(dot)paquier(at)gmail(dot)com>, Jim Nasby <Jim(dot)Nasby(at)bluetreble(dot)com> |
Cc: | Fujii Masao <masao(dot)fujii(at)gmail(dot)com>, Peter Eisentraut <peter(dot)eisentraut(at)2ndquadrant(dot)com>, PostgreSQL mailing lists <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: Provide list of subscriptions and publications in psql's completion |
Date: | 2017-02-18 14:57:00 |
Message-ID: | 9aa7f31f-c932-edad-6f1d-d269de8a31c6@2ndquadrant.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On 15/02/17 05:56, Michael Paquier wrote:
> On Wed, Feb 15, 2017 at 3:18 AM, Jim Nasby <Jim(dot)Nasby(at)bluetreble(dot)com> wrote:
>> Why not do what we do for pg_stat_activity.current_query and leave it NULL for non-SU?
>
> If subcriptions are designed to be superuser-only, it seems fair to me
> to do so. Some other system SRFs do that already.
>
>> Even better would be if we could simply strip out password info. Presumably
>> we already know how to parse the contents, so I'd think that shouldn't be
>> that difficult.
>
> I thought that this was correctly clobbered... But... No that's not
> the case by looking at the code. And honestly I think that it is
> unacceptable to show potentially security-sensitive information in
> system catalogs via a connection string. We are really careful about
> not showing anything bad in pg_stat_wal_receiver, which also sets to
> NULL fields for non-superusers and even clobbered values in the
> printed connection string for superusers, but pg_subscription fails on
> those points.
>
I am not following here, pg_subscription is currently superuser only
catalog, similarly to pg_user_mapping, there is no leaking.
--
Petr Jelinek http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Training & Services
From | Date | Subject | |
---|---|---|---|
Next Message | Jim Nasby | 2017-02-18 16:19:34 | Re: "SQL sentence"? |
Previous Message | Fabien COELHO | 2017-02-18 14:26:45 | Re: [HACKERS] Small issue in online devel documentation build |