On Tue, Mar 22, 2011 at 12:33 PM, Simon Riggs <simon@2ndquadrant.com> wrote:
>>> This has been fixed for the next releases.
>>
>> For the sake of the archives, it should also be noted that the file is in a
>> secure directory, much as a .pgpass file would be, so this is generally only
>> an issue for the situation described above, and not when a user installs a
>> copy himself.
>
> I accept its not a worst-case problem, but we should rate the problem
> A-D as with other security issues.
> All cases should get a rating so we know what we're dealing with
>
> The problem is that the password is disclosed in a surprising way.
> .pgpass files are explicitly put there by a user, so they know what
> they've done.
>
> Putting a password in cleartext somewhere is an issue if people don't
> know about it.
I agree completely.
--
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company