Re: Add explicit warnings about unsafe OAuth trace output for libpq
Zsolt Parragi <zsolt.parragi@percona.com>
From: Zsolt Parragi <zsolt.parragi@percona.com>
To: PostgreSQL Hackers <pgsql-hackers@lists.postgresql.org>, Jacob Champion <jacob.champion@enterprisedb.com>
Date: 2026-06-13T19:34:57Z
Lists: pgsql-hackers
Attachments
- rel18-0001-libpq-oauth-Warn-when-PGOAUTHDEBUG-trace-may-expose-.nocfbot.patch (application/octet-stream) patch 0001
- 0001-libpq-oauth-Warn-when-PGOAUTHDEBUG-trace-may-expose-.patch (application/octet-stream) patch 0001
Hello I have re-attached the same patches with simplified commit messages, and I also marked the PG18 version with nocfbot so the master version can apply correctly. On Tue, Apr 7, 2026 at 7:28 PM Zsolt Parragi <zsolt.parragi@percona.com> wrote: > > Hello > > This is based on earlier messages in the thread about OAUTHDEBUG splitting[1]: > > >> With the same logic, shouldn't we print a very visible warning when > >> somebody enables trace? Since it's a long output, maybe to both the > >> beginning and end of the flow? > > > > I'm more than happy to strengthen this as well, but let's kick that > > out to its own thread, especially if pieces are backpatchable. > > The documentation already mentions that this option is unsafe because > it prints out the HTTP traffic as-is, including secrets, but the > output itself lacks a warning about it. > > Because the output is long, users might not notice that copy-pasting > it or saving it to disk will share sensitive information. To increase > visibility, this patch adds a warning to both the beginning and the > end of the output. > > I also attached a version for 18, since this seems to be a useful > change to backport. With the recent changes this is slightly different > on 19. > > [1]: https://www.postgresql.org/message-id/CAOYmi%2Bkfw76zPa-tZPNs4KjxwthGLkQfpGyoKzMMy8_oNJz4DQ%40mail.gmail.com