Home > mailing lists

LISTEN/NOTIFY Security and the docs - Mailing list pgsql-hackers

From	Chander Ganesan
Subject	LISTEN/NOTIFY Security and the docs
Date	May 18, 2012 15:08:25
Msg-id	4FB665D5.5050102@otg-nc.com Whole thread Raw
Responses	Re: LISTEN/NOTIFY Security and the docs
List	pgsql-hackers

Tree view

Hi All,

I just realized that anyone can listen for notifications (using listen) 
so long as they know the "channel" name.  This means that a user could 
receive and view the payload for another user.

Perhaps it would be good to note this in the documentation (i.e., there 
should be no expectation of privacy/security when using listen/notify, 
so any user that can connect to a database could issue and receive 
notifications for any channel.)

thanks

-- 
Chander Ganesan
Open Technology Group, Inc.
11010 Lake Grove Blvd Ste. 100-307
Morrisville, NC  27560
919-463-0999/877-258-8987
http://www.otg-nc.com

pgsql-hackers by date:

From: Fujii Masao
Date: 18 May 2012, 15:04:46
Subject: Re: Strange issues with 9.2 pg_basebackup & replication

From: Jeff Janes
Date: 18 May 2012, 16:23:32
Subject: Archiver not exiting upon crash

LISTEN/NOTIFY Security and the docs - Mailing list pgsql-hackers

Previous

Next