On 2/28/19 9:12 AM, Robert Haas wrote: > On Wed, Feb 27, 2019 at 6:03 PM Joe Conway <m...@joeconway.com> wrote: >> Patch for discussion attached. > > So... you're just going to replace ALL error messages of any kind with > "ERROR: missing error text" when this option is enabled? That sounds > unusable. I mean if I'm reading it right this would get not only > messages from SQL-callable functions but also things like "deadlock > detected" and "could not read block %u in file %s" and "database is > not accepting commands to avoid wraparound data loss in database with > OID %u". You can't even shut it off conveniently, because the way > you've designed it it has to be PGC_POSTMASTER to avoid TOCTTOU > vulnerabilities. Maybe I'm misreading the patch?
You have it correct. I completely disagree that is is unusable though. The way I envision this is that you enable force_leakproof on your development machine without suppress_client_messages being turned on. Do your debugging there. On production, both are turned on. You still get full unredacted messages in your pg log. The client on a prod system does not need these details. If you *really* need to, you can restart to turn it on for a short while on prod, but hopefully you have a non prod system where you reproduce issues for debugging anyway. I am not married to making this only changeable via restart though -- that's why I posted the patch for discussion. Perhaps a superuserset would be better so debugging could be done on one session only on the prod machine. > I don't think it would be crazy to have a mode where we try to redact > the particular error messages that might leak information, but I think > we'd need to make it only those. A wild idea might be to let > proleakproof take on three values: yes, no, and maybe. When 'maybe' > functions are involved, we tell them whether or not the current query > involves any security barriers, and if so they self-censor. Again, I disagree. See above -- you have all you need in the server logs. Joe -- Crunchy Data - http://crunchydata.com PostgreSQL Support for Secure Enterprises Consulting, Training, & Open Source Development
signature.asc
Description: OpenPGP digital signature
