Re: BUG #18379: LDAP bind password exposed

Stephen Frost <sfrost@snowman.net> writes:
> While I agree that users should take steps to secure their log files,
> I'd argue that it's best practice to avoid dumping sensitive data into
> log files, which it seems like it would be in this case.  I'm not
> suggesting that this is bug-worthy or that we should go to excessive
> lengths to try and prevent every such case, but if someone showed up
> with a reasonable patch to replace the sensitive information in a pg_hba
> line with ****, I would be on the side of supporting that.

I dunno, I think it would mostly serve to set false expectations.
We've repeatedly rejected requests to scrub the log of passwords
found in CREATE/ALTER USER commands, for example.  I think some
of the same issues that led to that conclusion would apply here,
notably that a syntax error could lead to failing to recognize
at all that some substring is a password.  (A visibly erroneous
pg_hba line would not get quoted in the specific context the OP
complains of, but I'm pretty sure we'd print it while logging
the configuration reload failure.)

            regards, tom lane