On Tue, Jun 21, 2016 at 12:06 PM, Tom Lane <t...@sss.pgh.pa.us> wrote: > Peter Eisentraut <peter.eisentr...@2ndquadrant.com> writes: >> On 6/20/16 10:29 PM, Tom Lane wrote: >>> What I would want to know is whether this specific change is actually a >>> good idea. In particular, I'm concerned about the possible security >>> implications of exposing primary_conninfo --- might it not contain a >>> password, for example? > >> That would have been my objection. This was also mentioned in the >> context of moving recovery.conf settings to postgresql.conf, because >> then the password would become visible in SHOW commands and the like. > >> Alternatively or additionally, implement a way to strip passwords out of >> conninfo information. libpq already has information about which >> connection items are sensitive. > > Yeah, I'd been wondering whether we could parse the conninfo string into > individual fields and then drop the password field. It's hard to see a > reason why this view needs to show passwords, since presumably everything > in it corresponds to successful connections --- if your password is wrong, > you aren't in it.
walreceiver.c does not have a direct dependency to libpq yet, everything does through libpqwalreceiver. So a correct move would be to unplug the low-level routines of PQconninfoParse into something in src/common/, where both the backend and frontend could use it. And then we use it to rebuild a connection string. Thoughts? -- Michael -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
