On Tue, Sep 20, 2022 at 12:09:33AM -0400, Tom Lane wrote: > You have to assume that somebody (a) has a role or DB name starting > with slash, (b) has an explicit reference to that name in their > pg_hba.conf, (c) doesn't read the release notes, and (d) doesn't > notice that things are misbehaving until after some hacker manages > to break into their installation on the strength of the misbehaving > entry. OK, I'll grant that the probability of (c) is depressingly > close to unity; but each of the other steps seems quite low probability. > All four of them happening in one installation is something I doubt > will happen.
It is the kind of things that could blow up as a CVE and some bad PR for the project, so I cannot get excited about enforcing this new rule in an authentication file (aka before a role is authenticated) while we are talking about 3~4 code paths (?) that would need an extra check to make sure that no instances have such object names. > On the contrary side, if we make this work differently from the > pg_ident.conf precedent, or install weird rules to try to prevent > accidental misinterpretations, that could also lead to security > problems because things don't work as someone would expect. I see > no a-priori reason to believe that this risk is negligible compared > to the other one. I also do like a lot the idea of making things consistent across all the auth configuration files for all the fields where this can be applied. -- Michael
signature.asc
Description: PGP signature