| From: | Alvaro Herrera <alvherre(at)alvh(dot)no-ip(dot)org> |
|---|---|
| To: | Magnus Hagander <magnus(at)hagander(dot)net> |
| Cc: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Andrew Dunstan <andrew(at)dunslane(dot)net>, pgsql-patches(at)postgreSQL(dot)org, Stephen Frost <sfrost(at)snowman(dot)net> |
| Subject: | Re: Proposed patch to disallow password=foo in database name parameter |
| Date: | 2007-12-11 12:22:46 |
| Message-ID: | 20071211122246.GE4708@alvh.no-ip.org |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-patches |
Magnus Hagander wrote:
> On Mon, Dec 10, 2007 at 10:47:19PM -0500, Tom Lane wrote:
> If we want to prevent it for psql, we should actually prevent it *in* psql,
> not in libpq. There are an infinite number of scenarios where it's
> perfectly safe to put the password there... If we want to do it share, we
> should add a function like PQSanitizeConnectionString() that will remove
> it, that can be called from those client apps that may be exposing it.
>
> There are also platforms that don't show the full commandline to other
> users - or even other processes - that aren't affected, of course.
One idea is to have psql "hide" the password on the ps status. That way
it becomes less of a security issue. It would still be a problem on
certain operating systems, but at least several common platforms would
be covered.
--
Alvaro Herrera http://www.flickr.com/photos/alvherre/
Officer Krupke, what are we to do?
Gee, officer Krupke, Krup you! (West Side Story, "Gee, Officer Krupke")
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Heikki Linnakangas | 2007-12-11 12:31:27 | Re: Proposed patch to disallow password=foo in databasename parameter |
| Previous Message | Magnus Hagander | 2007-12-11 09:09:20 | Re: Proposed patch to disallow password=foo in database name parameter |