On Wed, Feb 27, 2019 at 6:03 PM Joe Conway <mail@joeconway.com> wrote:
> Patch for discussion attached.
So... you're just going to replace ALL error messages of any kind with
"ERROR: missing error text" when this option is enabled? That sounds
unusable. I mean if I'm reading it right this would get not only
messages from SQL-callable functions but also things like "deadlock
detected" and "could not read block %u in file %s" and "database is
not accepting commands to avoid wraparound data loss in database with
OID %u". You can't even shut it off conveniently, because the way
you've designed it it has to be PGC_POSTMASTER to avoid TOCTTOU
vulnerabilities. Maybe I'm misreading the patch?
I don't think it would be crazy to have a mode where we try to redact
the particular error messages that might leak information, but I think
we'd need to make it only those. A wild idea might be to let
proleakproof take on three values: yes, no, and maybe. When 'maybe'
functions are involved, we tell them whether or not the current query
involves any security barriers, and if so they self-censor.
--
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company