Re: [Django] #30370: Add support for postgresql client certificates and key to dbshell.

Sun, 19 Jan 2020 22:57:37 -0800 

#30370: Add support for postgresql client certificates and key to dbshell.
-------------------------------------+-------------------------------------
     Reporter:  Oleh Mykytyuk        |                    Owner:  Oleh
                                     |  Mykytyuk
         Type:  New feature          |                   Status:  closed
    Component:  Database layer       |                  Version:  master
  (models, ORM)                      |
     Severity:  Normal               |               Resolution:  fixed
     Keywords:  dbshell postgresql   |             Triage Stage:  Ready for
  certificate                        |  checkin
    Has patch:  1                    |      Needs documentation:  0
  Needs tests:  0                    |  Patch needs improvement:  0
Easy pickings:  0                    |                    UI/UX:  0
-------------------------------------+-------------------------------------
Changes (by felixxm):

 * type:  Bug => New feature


Comment:

 That's not a bug, it's a new feature. I don't see a security issue in this
 behavior. `dbshell` is a utility tool and passwords, keys, etc. will
 travel in clear text only if your database allows non-ssl connections.
 It's also [https://docs.djangoproject.com/en/3.0/ref/django-admin/#dbshell
 documented] that ''not all options set in the `OPTIONS` part of your
 database configuration in `DATABASES` are passed to the command-line
 client''.

 > As it stands, users connecting to a Postgres server with the CLI (psql),
 if configured properly, will connect verifiably using TLS, giving the
 impression that the setup is correct the connection is secured. However,
 this is a false impression as even if the configuration is perfect, ....

 `dbshell` uses a subprocess with
 
[https://github.com/django/django/blob/7d8df4ad032c6241776c2b3ec6c76af9dd84fda3/django/db/backends/postgresql/client.py#L34
 a copy of the current environment], so if you set `PGSSLMODE`,
 `PGSSLROOTCERT`, etc. in your current environment you will connect using
 TLS even without this change.

-- 
Ticket URL: <https://code.djangoproject.com/ticket/30370#comment:13>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/071.4e9174df3c209e8253d585da68362c47%40djangoproject.com.

Reply via email to