On Wed, Feb 15, 2017 at 3:18 AM, Jim Nasby <Jim.Nasby@bluetreble.com> wrote:
> Why not do what we do for pg_stat_activity.current_query and leave it NULL for non-SU?
If subcriptions are designed to be superuser-only, it seems fair to me
to do so. Some other system SRFs do that already.
> Even better would be if we could simply strip out password info. Presumably
> we already know how to parse the contents, so I'd think that shouldn't be
> that difficult.
I thought that this was correctly clobbered... But... No that's not
the case by looking at the code. And honestly I think that it is
unacceptable to show potentially security-sensitive information in
system catalogs via a connection string. We are really careful about
not showing anything bad in pg_stat_wal_receiver, which also sets to
NULL fields for non-superusers and even clobbered values in the
printed connection string for superusers, but pg_subscription fails on
those points.
I am adding an open item on the wiki regarding that. FWIW, a patch
needs to refactor libpqrcv_check_conninfo and libpqrcv_get_conninfo so
as the connection string build of PQconninfoOption data goes through
the same process. If everybody agrees on those lines, I have no
problems in producing a patch.
--
Michael