| From: | David Rowley <david(dot)rowley(at)2ndquadrant(dot)com> |
|---|---|
| To: | legrand legrand <legrand_legrand(at)hotmail(dot)com> |
| Cc: | pgsql-general <pgsql-general(at)postgresql(dot)org> |
| Subject: | Re: pg_stat_statements: password in command is not obfuscated |
| Date: | 2018-03-23 23:17:30 |
| Message-ID: | CAKJS1f95_peGgpUgeG6nJ7Y4KzhcG07jdbwfM_8D4fRrCbUhmg@mail.gmail.com |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
On 24 March 2018 at 10:30, legrand legrand <legrand_legrand(at)hotmail(dot)com> wrote:
> It seems that passwords used in commands are not removed when caught by
> pg_stat_statements
> (they are not "normalized" being utility statements)
>
> exemple:
> alter role tt with password '123';
>
> select query from public.pg_stat_statements
> where query like '%password%';
>
> query
> ----------------------------------------
> alter role tt with password '123';
>
> Do you think its a bug ?
If it is, then it's not a bug in pg_stat_statements. log_statement =
'ddl' would have kept a record of the same thing.
Perhaps the best fix would be a documentation improvement to mention
the fact and that it's best not to use plain text passwords in
CREATE/ALTER ROLE. Passwords can be md5 encrypted.
--
David Rowley http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Training & Services
| From | Date | Subject | |
|---|---|---|---|
| Next Message | HORDER Phil | 2018-03-24 08:53:02 | RE: primary key and unique index |
| Previous Message | Tom Lane | 2018-03-23 22:22:58 | Re: FDW Foreign Table Access: strange LOG message |