Re: [patch] fix dblink security hole

Tom Lane wrote:
> 
> What do you think about getting rid of the password_from_string state
> variable?  It was always a bit of a kluge, and we don't seem to need
> it anymore with this approach.

It is still used in PQconnectionUsedPassword(). That is still needed to 
prevent a non-superuser from logging in as the superuser if the server 
does not require authentication.  In that case, any bogus password could 
be added to the connection string and be subsequently ignored, if not 
for this check.

e.g. with a default pg_hba.conf

8<-------------------------------------
psql contrib_regression -U luser
psql (8.4devel)
Type "help" for help.

contrib_regression=> SELECT dblink_connect('password=luser 
dbname=contrib_regression');
ERROR:  password is required
DETAIL:  Non-superuser cannot connect if the server does not request a 
password.
HINT:  Target server's authentication method must be changed.
8<-------------------------------------

Without PQconnectionUsedPassword() that would have succeeded in logging 
in as the superuser, because the password is never actually checked.

Joe