Home > mailing lists

Re: pg_stat_statements: password in command is not obfuscated - Mailing list pgsql-general

From	David Rowley
Subject	Re: pg_stat_statements: password in command is not obfuscated
Date	March 24, 2018 05:17:30
Msg-id	CAKJS1f95_peGgpUgeG6nJ7Y4KzhcG07jdbwfM_8D4fRrCbUhmg@mail.gmail.com Whole thread Raw
In response to	pg_stat_statements: password in command is not obfuscated (legrand legrand <legrand_legrand@hotmail.com>)
Responses	Re: pg_stat_statements: password in command is not obfuscated (Michael Paquier <michael@paquier.xyz>)
List	pgsql-general

Tree view

On 24 March 2018 at 10:30, legrand legrand <legrand_legrand@hotmail.com> wrote:
> It seems that passwords used in commands are not removed when caught by
> pg_stat_statements
> (they are not "normalized" being utility statements)
>
> exemple:
> alter role tt with password '123';
>
> select query from public.pg_stat_statements
> where query like '%password%';
>
> query
> ----------------------------------------
> alter role tt with password '123';
>
> Do you think its a bug ?

If it is, then it's not a bug in pg_stat_statements. log_statement =
'ddl' would have kept a record of the same thing.

Perhaps the best fix would be a documentation improvement to mention
the fact and that it's best not to use plain text passwords in
CREATE/ALTER ROLE. Passwords can be md5 encrypted.

-- 
 David Rowley                   http://www.2ndQuadrant.com/
 PostgreSQL Development, 24x7 Support, Training & Services

pgsql-general by date:

From: Tom Lane
Date: 24 March 2018, 04:22:58
Subject: Re: FDW Foreign Table Access: strange LOG message

From: HORDER Phil
Date: 24 March 2018, 14:53:02
Subject: RE: primary key and unique index

Re: pg_stat_statements: password in command is not obfuscated - Mailing list pgsql-general

Previous

Next