| From: | PG Bug reporting form <noreply(at)postgresql(dot)org> |
|---|---|
| To: | pgsql-bugs(at)lists(dot)postgresql(dot)org |
| Cc: | abcxiaod(at)126(dot)com |
| Subject: | BUG #16449: Log file and the query field of the pg_stat_statements table display clear text password. |
| Date: | 2020-05-18 09:16:31 |
| Message-ID: | 16449-4d45c7092ac52797@postgresql.org |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs |
The following bug has been logged on the website:
Bug reference: 16449
Logged by: yi Ding
Email address: abcxiaod(at)126(dot)com
PostgreSQL version: 10.12
Operating system: linux
Description:
1、The log_statement is set to ALL
2、Execute statement:alter user t password 'adsf123asg';
3、Log file shows clear text password.
2020-05-18 10:32:11.606
CST,"postgres","postgres",16959,"[local]",5ec1f354.423f,3,"",2020-05-18
10:30:44 CST,14/26972,0,LOG,00000,"statement: alter user t password
'adsf123asg';",,,,,,,,"exec_simple_query, postgres.c:963","psql"
4、The query field of the pg_stat_statements table displays the clear text
of the password.
postgres=# select * from pg_stat_statements where queryid = '2555618481';
-[ RECORD 1 ]-------+-----------------------------------
userid | 10
dbid | 12298
queryid | 2555618481
query | alter user t password 'adsf123asg'
calls | 2
total_time | 0.266986
min_time | 0.127103
max_time | 0.139883
mean_time | 0.133493
stddev_time | 0.00639000000000001
rows | 0
shared_blks_hit | 6
shared_blks_read | 0
shared_blks_dirtied | 2
shared_blks_written | 0
local_blks_hit | 0
local_blks_read | 0
local_blks_dirtied | 0
local_blks_written | 0
temp_blks_read | 0
temp_blks_written | 0
blk_read_time | 0
blk_write_time | 0
| From | Date | Subject | |
|---|---|---|---|
| Next Message | PG Bug reporting form | 2020-05-18 09:17:07 | BUG #16450: Recovery.conf file shows clear text password. |
| Previous Message | PG Bug reporting form | 2020-05-18 09:14:49 | BUG #16448: Remote code execution vulnerability |