| From: | Shay Rojansky <roji(at)roji(dot)org> |
|---|---|
| To: | pgsql-general(at)lists(dot)postgresql(dot)org, pgsql-general(at)postgresql(dot)org, William Denton <wdenton(at)gmail(dot)com>, Adrian Klaver <adrian(dot)klaver(at)aklaver(dot)com>, Karsten Hilbert <Karsten(dot)Hilbert(at)gmx(dot)net> |
| Subject: | Re: Row data is reflected in DETAIL message when constraints fail on insert/update |
| Date: | 2019-06-20 15:22:20 |
| Message-ID: | CADT4RqB8ZdqRguV05JdXpSr6dwK3azcebu0c_4Eg0ADnUtK=tg@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
Karsten,
>> In other words, this isn't about verbosity, but about sensitive data. It
>> seems like a specific knob for sensitive information may be required,
which
>> would be off by default and would potentially affect other fields as well
>> (if relevant).
>
> A specifig knob for "sensitive data" cannot be supplied by
> PostgreSQL because it cannot know beforehand what information
> will be considered sensitive under a given, future, usage
> scenario.
It seems generally agreed that all data from the database should be
considered potentially sensitive and should therefore not be leaked in log
messages - unless an explicit, informed opt-in is done. It is extremely
easy to imagine a (poorly-written) UI or web application which simply
surfaces database exceptions, allowing attackers to potentially extract
data from the database. In the worst case, passwords and other auth
information may get exposed in this way, but even any sort of personal
information is a big problem.
It seems worth at least having a conversation about it...
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Karsten Hilbert | 2019-06-20 15:27:41 | Re: Row data is reflected in DETAIL message when constraints fail on insert/update |
| Previous Message | Adrian Klaver | 2019-06-20 15:01:09 | Re: Inserts restricted to a trigger |