rel18-0001-libpq-oauth-Warn-when-PGOAUTHDEBUG-trace-may-expose-.patch

application/octet-stream

Filename: rel18-0001-libpq-oauth-Warn-when-PGOAUTHDEBUG-trace-may-expose-.patch
Type: application/octet-stream
Part: 0
Message: Add explicit warnings about unsafe OAuth trace output for libpq

Patch

Same data as JSON: GET /api/v1/attachments/:id/patch the parsed metadata as JSON — format, series position, per-file stats; never the diff bytes. API reference →
Format: format-patch
Series: patch 0001
Subject: libpq-oauth: Warn when PGOAUTHDEBUG trace may expose secrets
File+
src/interfaces/libpq-oauth/oauth-curl.c 9 0
From 0fdbe4022bdbc5a63f020052e2cc98a52b271fa2 Mon Sep 17 00:00:00 2001
From: Zsolt Parragi <zsolt.parragi@percona.com>
Date: Tue, 7 Apr 2026 17:48:12 +0000
Subject: [PATCH] libpq-oauth: Warn when PGOAUTHDEBUG trace may expose secrets

When PGOAUTHDEBUG=UNSAFE is set, libcurl's verbose output is printed
to stderr. This trace includes the full HTTP request and response
traffic, which can contain bearer tokens, client secrets, and other
sensitive material.

A user who enables PGOAUTHDEBUG to troubleshoot a connection problem
may not realize that the output is unsafe to share publicly, especially
in bug reports or mailing list posts. Add two bracketing warnings to
make this explicit:

  1. At the start of the OAuth flow, immediately after checking the
     debug flag, print a notice that trace logging is active and will
     include secrets.

  2. At the end of the flow (success or failure), print a reminder
     that the preceding trace output may contain secrets and should
     not be shared with third parties.

Together these ensure the sensitive trace output is clearly delimited
by warnings, regardless of how much or how little output curl produces
in between.
---
 src/interfaces/libpq-oauth/oauth-curl.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/src/interfaces/libpq-oauth/oauth-curl.c b/src/interfaces/libpq-oauth/oauth-curl.c
index 64b5306372a..905c26a014a 100644
--- a/src/interfaces/libpq-oauth/oauth-curl.c
+++ b/src/interfaces/libpq-oauth/oauth-curl.c
@@ -2796,6 +2796,10 @@ pg_fe_run_oauth_flow_impl(PGconn *conn)
 		/* Should we enable unsafe features? */
 		actx->debugging = oauth_unsafe_debugging_enabled();
 
+		if (actx->debugging)
+			fprintf(stderr,
+					libpq_gettext("WARNING: PGOAUTHDEBUG trace is enabled. HTTP traffic (including secrets) will be logged.\n"));
+
 		state->async_ctx = actx;
 
 		initPQExpBuffer(&actx->work_data);
@@ -3082,6 +3086,11 @@ pg_fe_run_oauth_flow(PGconn *conn)
 					actx->dbg_num_calls);
 	}
 
+	if (actx && actx->debugging
+		&& (result == PGRES_POLLING_OK || result == PGRES_POLLING_FAILED))
+		fprintf(stderr,
+				libpq_gettext("WARNING: PGOAUTHDEBUG trace output above may contain secrets. Do not share with third parties.\n"));
+
 #ifndef WIN32
 	if (masked)
 	{
-- 
2.43.0