Re: BUG #14600: Passwords in user mappings leaked by psql \deu+ command

Noah Misch <noah@leadboat.com>

From: Noah Misch <noah@leadboat.com>
To: Feike Steenbergen <feikesteenbergen@gmail.com>
Cc: andrew.wheelwright@familysearch.org, PostgreSQL mailing lists <pgsql-bugs@postgresql.org>
Date: 2017-04-08T19:34:07Z
Lists: pgsql-bugs

Commits

Same data as JSON: GET /api/v1/messages/:b64id/commits the thread's linked commits as JSON, with link sources. API reference →
  1. Revise the permission checking on user mapping DDL commands.

On Wed, Mar 29, 2017 at 04:54:03PM +0200, Feike Steenbergen wrote:
> > If a standard user logs into Alice using command line client, psql, and
> runs
> > the command \deu+, the password for both the standard_user and the
> > power_user will be visible in the displayed user mapping.
> 
> \deu+ queries pg_catalog.pg_user_mappings, which itself is a view on top of
> pg_user_mapping.

Thanks for the report; the next back-branch releases will contain a fix.