On Sat, Feb 18, 2017 at 11:57 PM, Petr Jelinek <petr.jeli...@2ndquadrant.com> wrote: > On 15/02/17 05:56, Michael Paquier wrote: >> I thought that this was correctly clobbered... But... No that's not >> the case by looking at the code. And honestly I think that it is >> unacceptable to show potentially security-sensitive information in >> system catalogs via a connection string. We are really careful about >> not showing anything bad in pg_stat_wal_receiver, which also sets to >> NULL fields for non-superusers and even clobbered values in the >> printed connection string for superusers, but pg_subscription fails on >> those points. >> > > I am not following here, pg_subscription is currently superuser only > catalog, similarly to pg_user_mapping, there is no leaking.
Even if it is a superuser-only view, pg_subscription does not hide sensitive values in connection strings while it should. See similar discussion for pg_stat_wal_receiver here which is also superuser-only (it does display null values for non-superusers): https://www.postgresql.org/message-id/562f6c7f-6a47-0a8a-e189-2de9ea896...@2ndquadrant.com Something needs to be done at least for that, independently on the psql completion. -- Michael -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
