On Mon, 17 Mar 2025 at 16:48, Jacob Champion <jacob.champ...@enterprisedb.com> wrote: > > On Sun, Mar 16, 2025 at 6:49 AM Daniel Gustafsson <dan...@yesql.se> wrote: > > IIRC the reasoning has been that if a rogue user can inject an environment > > variable into your session and read your files it's probably game over > > anyways. > > (Personally I'm no longer as convinced by this line of argument as I > once was...)
I'm not saying there's no attack possible here (although I cannot think of one), but we allow configuring every other SSL option using an env var^1. So if there is an attack possible, why would that only apply to being able to control the sslkeylogfile as opposed to e.g. sslmode or sslrootcert. ^1 except for "sslpassword", which is weird because that seems exactly like one of the options you might not want to store in a connection string for security reasons.
