On Tue, Jun 21, 2016 at 12:06 PM, Tom Lane <tgl@sss.pgh.pa.us> wrote:
> Peter Eisentraut <peter.eisentraut@2ndquadrant.com> writes:
>> On 6/20/16 10:29 PM, Tom Lane wrote:
>>> What I would want to know is whether this specific change is actually a
>>> good idea. In particular, I'm concerned about the possible security
>>> implications of exposing primary_conninfo --- might it not contain a
>>> password, for example?
>
>> That would have been my objection. This was also mentioned in the
>> context of moving recovery.conf settings to postgresql.conf, because
>> then the password would become visible in SHOW commands and the like.
>
>> Alternatively or additionally, implement a way to strip passwords out of
>> conninfo information. libpq already has information about which
>> connection items are sensitive.
>
> Yeah, I'd been wondering whether we could parse the conninfo string into
> individual fields and then drop the password field. It's hard to see a
> reason why this view needs to show passwords, since presumably everything
> in it corresponds to successful connections --- if your password is wrong,
> you aren't in it.
walreceiver.c does not have a direct dependency to libpq yet,
everything does through libpqwalreceiver. So a correct move would be
to unplug the low-level routines of PQconninfoParse into something in
src/common/, where both the backend and frontend could use it. And
then we use it to rebuild a connection string. Thoughts?
--
Michael