Re: BUG #14600: Passwords in user mappings leaked by psql \deu+ command
Noah Misch <noah@leadboat.com>
From: Noah Misch <noah@leadboat.com>
To: Feike Steenbergen <feikesteenbergen@gmail.com>
Cc: andrew.wheelwright@familysearch.org, PostgreSQL mailing lists <pgsql-bugs@postgresql.org>
Date: 2017-04-08T19:34:07Z
Lists: pgsql-bugs
Commits
Same data as JSON:
GET /api/v1/messages/:b64id/commits
the thread's linked commits as JSON, with link sources.
API reference →
-
Revise the permission checking on user mapping DDL commands.
- 93a6be63a55a 8.4.0 cited
On Wed, Mar 29, 2017 at 04:54:03PM +0200, Feike Steenbergen wrote: > > If a standard user logs into Alice using command line client, psql, and > runs > > the command \deu+, the password for both the standard_user and the > > power_user will be visible in the displayed user mapping. > > \deu+ queries pg_catalog.pg_user_mappings, which itself is a view on top of > pg_user_mapping. Thanks for the report; the next back-branch releases will contain a fix.