From 0fdbe4022bdbc5a63f020052e2cc98a52b271fa2 Mon Sep 17 00:00:00 2001 From: Zsolt Parragi Date: Tue, 7 Apr 2026 17:48:12 +0000 Subject: [PATCH] libpq-oauth: Warn when PGOAUTHDEBUG trace may expose secrets When PGOAUTHDEBUG=UNSAFE is set, libcurl's verbose output is printed to stderr. This trace includes the full HTTP request and response traffic, which can contain bearer tokens, client secrets, and other sensitive material. A user who enables PGOAUTHDEBUG to troubleshoot a connection problem may not realize that the output is unsafe to share publicly, especially in bug reports or mailing list posts. Add two bracketing warnings to make this explicit: 1. At the start of the OAuth flow, immediately after checking the debug flag, print a notice that trace logging is active and will include secrets. 2. At the end of the flow (success or failure), print a reminder that the preceding trace output may contain secrets and should not be shared with third parties. Together these ensure the sensitive trace output is clearly delimited by warnings, regardless of how much or how little output curl produces in between. --- src/interfaces/libpq-oauth/oauth-curl.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/src/interfaces/libpq-oauth/oauth-curl.c b/src/interfaces/libpq-oauth/oauth-curl.c index 64b5306372a..905c26a014a 100644 --- a/src/interfaces/libpq-oauth/oauth-curl.c +++ b/src/interfaces/libpq-oauth/oauth-curl.c @@ -2796,6 +2796,10 @@ pg_fe_run_oauth_flow_impl(PGconn *conn) /* Should we enable unsafe features? */ actx->debugging = oauth_unsafe_debugging_enabled(); + if (actx->debugging) + fprintf(stderr, + libpq_gettext("WARNING: PGOAUTHDEBUG trace is enabled. HTTP traffic (including secrets) will be logged.\n")); + state->async_ctx = actx; initPQExpBuffer(&actx->work_data); @@ -3082,6 +3086,11 @@ pg_fe_run_oauth_flow(PGconn *conn) actx->dbg_num_calls); } + if (actx && actx->debugging + && (result == PGRES_POLLING_OK || result == PGRES_POLLING_FAILED)) + fprintf(stderr, + libpq_gettext("WARNING: PGOAUTHDEBUG trace output above may contain secrets. Do not share with third parties.\n")); + #ifndef WIN32 if (masked) { -- 2.43.0