Re: [HACKERS] Provide list of subscriptions and publications inpsql's completion
| От | Michael Paquier |
|---|---|
| Тема | Re: [HACKERS] Provide list of subscriptions and publications inpsql's completion |
| Дата | |
| Msg-id | CAB7nPqTkFUwVE7RFB3Xy5sbzQWcC-6dkZQ9Lr-uscCr+Xgr7uw@mail.gmail.com обсуждение исходный текст |
| Ответ на | Re: [HACKERS] Provide list of subscriptions and publications inpsql's completion (Petr Jelinek <petr.jelinek@2ndquadrant.com>) |
| Ответы |
Re: [HACKERS] Provide list of subscriptions and publications inpsql's completion
|
| Список | pgsql-hackers |
On Sat, Feb 18, 2017 at 11:57 PM, Petr Jelinek <petr.jelinek@2ndquadrant.com> wrote: > On 15/02/17 05:56, Michael Paquier wrote: >> I thought that this was correctly clobbered... But... No that's not >> the case by looking at the code. And honestly I think that it is >> unacceptable to show potentially security-sensitive information in >> system catalogs via a connection string. We are really careful about >> not showing anything bad in pg_stat_wal_receiver, which also sets to >> NULL fields for non-superusers and even clobbered values in the >> printed connection string for superusers, but pg_subscription fails on >> those points. >> > > I am not following here, pg_subscription is currently superuser only > catalog, similarly to pg_user_mapping, there is no leaking. Even if it is a superuser-only view, pg_subscription does not hide sensitive values in connection strings while it should. See similar discussion for pg_stat_wal_receiver here which is also superuser-only (it does display null values for non-superusers): https://www.postgresql.org/message-id/562f6c7f-6a47-0a8a-e189-2de9ea896849@2ndquadrant.com Something needs to be done at least for that, independently on the psql completion. -- Michael
В списке pgsql-hackers по дате отправления: