On 7/31/24 16:10, Robert Haas wrote:
On Wed, Jul 31, 2024 at 2:43 PM Joe Conway <m...@joeconway.com> wrote:
I still maintain that there is a whole host of users that would accept
the risk of side channel attacks via existence of an error or not, if
they could only be sure nothing sensitive leaks directly into the logs
or to the clients. We should give them that choice.
I'm not sure what design you have in mind. A lot of possible designs
seem to end up like this:
1. You can't directly select the invisible value.
2. But you can write a plpgsql procedure that tries a bunch of things
in a loop and catches errors and uses which things error and which
things don't to figure out and return the invisible value.
And I would argue that's not really that useful. Especially if that
plpgsql procedure can extract the hidden values in like 1ms/row.
You are assuming that everyone allows direct logins with the ability to
create procedures. Plenty don't.
--
Joe Conway
PostgreSQL Contributors Team
RDS Open Source Databases
Amazon Web Services: https://aws.amazon.com
