Re: [patch] fix dblink security hole

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: Joe Conway <mail(at)joeconway(dot)com>
Cc: Marko Kreen <markokr(at)gmail(dot)com>, Postgres Hackers <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: [patch] fix dblink security hole
Date: 2008-09-22 02:41:46
Message-ID: 23954.1222051306@sss.pgh.pa.us
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

Joe Conway <mail(at)joeconway(dot)com> writes:
> New patch attached.

This is close, but you're failing to guard against a few out-of-memory
corner cases (and now that I look, PQconndefaults() is too). The libpq
documentation needs more work than this, too.

I'll make a cleanup pass and commit.

BTW, I'm quite tempted to get rid of pgpass_from_client and simplify the
specification of PQconnectionUsedPassword to be "did the server request
a password?". Thoughts?

regards, tom lane

In response to

Browse pgsql-hackers by date

  From Date Subject
Next Message Tom Lane 2008-09-22 03:25:16 Re: [patch] fix dblink security hole
Previous Message Stephen Frost 2008-09-22 02:41:29 Re: Proposal: move column defaults into pg_attribute along with attacl