Re: [HACKERS] Provide list of subscriptions and publications inpsql's completion
| От | Petr Jelinek |
|---|---|
| Тема | Re: [HACKERS] Provide list of subscriptions and publications inpsql's completion |
| Дата | |
| Msg-id | 435125ee-6104-0d61-71ae-fc6123868a11@2ndquadrant.com обсуждение исходный текст |
| Ответ на | Re: [HACKERS] Provide list of subscriptions and publications inpsql's completion (Michael Paquier <michael.paquier@gmail.com>) |
| Ответы |
Re: [HACKERS] Provide list of subscriptions and publications inpsql's completion
|
| Список | pgsql-hackers |
On 19/02/17 00:02, Michael Paquier wrote: > On Sat, Feb 18, 2017 at 11:57 PM, Petr Jelinek > <petr.jelinek@2ndquadrant.com> wrote: >> On 15/02/17 05:56, Michael Paquier wrote: >>> I thought that this was correctly clobbered... But... No that's not >>> the case by looking at the code. And honestly I think that it is >>> unacceptable to show potentially security-sensitive information in >>> system catalogs via a connection string. We are really careful about >>> not showing anything bad in pg_stat_wal_receiver, which also sets to >>> NULL fields for non-superusers and even clobbered values in the >>> printed connection string for superusers, but pg_subscription fails on >>> those points. >>> >> >> I am not following here, pg_subscription is currently superuser only >> catalog, similarly to pg_user_mapping, there is no leaking. > > Even if it is a superuser-only view, pg_subscription does not hide > sensitive values in connection strings while it should. See similar It's not a view it's system catalog which actually stores the data, how would it hide anything? -- Petr Jelinek http://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Training & Services
В списке pgsql-hackers по дате отправления: