On Wed, Feb 15, 2017 at 3:18 AM, Jim Nasby <jim.na...@bluetreble.com> wrote: > Why not do what we do for pg_stat_activity.current_query and leave it NULL > for non-SU?
If subcriptions are designed to be superuser-only, it seems fair to me to do so. Some other system SRFs do that already. > Even better would be if we could simply strip out password info. Presumably > we already know how to parse the contents, so I'd think that shouldn't be > that difficult. I thought that this was correctly clobbered... But... No that's not the case by looking at the code. And honestly I think that it is unacceptable to show potentially security-sensitive information in system catalogs via a connection string. We are really careful about not showing anything bad in pg_stat_wal_receiver, which also sets to NULL fields for non-superusers and even clobbered values in the printed connection string for superusers, but pg_subscription fails on those points. I am adding an open item on the wiki regarding that. FWIW, a patch needs to refactor libpqrcv_check_conninfo and libpqrcv_get_conninfo so as the connection string build of PQconninfoOption data goes through the same process. If everybody agrees on those lines, I have no problems in producing a patch. -- Michael -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers