Peter Eisentraut <peter.eisentraut@2ndquadrant.com> writes:
> On 6/20/16 10:29 PM, Tom Lane wrote:
>> What I would want to know is whether this specific change is actually a
>> good idea. In particular, I'm concerned about the possible security
>> implications of exposing primary_conninfo --- might it not contain a
>> password, for example?
> That would have been my objection. This was also mentioned in the
> context of moving recovery.conf settings to postgresql.conf, because
> then the password would become visible in SHOW commands and the like.
> Alternatively or additionally, implement a way to strip passwords out of
> conninfo information. libpq already has information about which
> connection items are sensitive.
Yeah, I'd been wondering whether we could parse the conninfo string into
individual fields and then drop the password field. It's hard to see a
reason why this view needs to show passwords, since presumably everything
in it corresponds to successful connections --- if your password is wrong,
you aren't in it.
regards, tom lane