Home > mailing lists

Re: [patch] fix dblink security hole - Mailing list pgsql-hackers

From	Tom Lane
Subject	Re: [patch] fix dblink security hole
Date	September 22, 2008 03:25:22
Msg-id	26668.1222053916@sss.pgh.pa.us Whole thread Raw
In response to	Re: [patch] fix dblink security hole (Joe Conway <mail@joeconway.com>)
Responses	Re: [patch] fix dblink security hole (Joe Conway <mail@joeconway.com>)
List	pgsql-hackers

Tree view

Joe Conway <mail@joeconway.com> writes:
> New patch attached.

erm ... wait a minute.  This approach doesn't actually solve the problem
at all, because conninfo_parse is responsible for filling in various
sorts of default values.  In particular it would happily pull a password
from the services file or the PGPASSWORD environment variable, and
looking at the array after the fact doesn't tell whether that happened.

Refactoring doesn't seem like an easy way to fix this, because of the
problem that the behavior of pulling up defaults is part of the API
specification for PQconndefaults().

Thoughts?
        regards, tom lane

pgsql-hackers by date:

From: Tom Lane
Date: 22 September 2008, 02:41:59
Subject: Re: [patch] fix dblink security hole

From: Joe Conway
Date: 22 September 2008, 03:40:07
Subject: Re: [patch] fix dblink security hole

Re: [patch] fix dblink security hole - Mailing list pgsql-hackers

Previous

Next