From: Jacob Champion Date: Tue, 29 Apr 2025 20:08:55 +0000 (-0700) Subject: oauth: Classify oauth_client_secret as a password X-Git-Url: http://git.postgresql.org/gitweb/?a=commitdiff_plain;h=e974f1c2164;p=postgresql.git oauth: Classify oauth_client_secret as a password Tell UIs to hide the value of oauth_client_secret, like the other passwords. Due to the previous commit, this does not affect postgres_fdw and dblink, but add a comment to try to warn others of the hazard in the future. Reported-by: Noah Misch Reviewed-by: Noah Misch Discussion: https://postgr.es/m/20250415191435.55.nmisch%40google.com --- diff --git a/src/interfaces/libpq/fe-connect.c b/src/interfaces/libpq/fe-connect.c index bd51e6115cf..430c0fa4442 100644 --- a/src/interfaces/libpq/fe-connect.c +++ b/src/interfaces/libpq/fe-connect.c @@ -158,6 +158,12 @@ static int ldapServiceLookup(const char *purl, PQconninfoOption *options, * "*" Password field - hide value * "D" Debug option - don't show by default * + * NB: Server-side clients -- dblink, postgres_fdw, libpqrcv -- use dispchar to + * determine which options to expose to end users, and how. Changing dispchar + * has compatibility and security implications for those clients. For example, + * postgres_fdw will attach a "*" option to USER MAPPING instead of the default + * SERVER, and it disallows setting "D" options entirely. + * * PQconninfoOptions[] is a constant static array that we use to initialize * a dynamically allocated working copy. All the "val" fields in * PQconninfoOptions[] *must* be NULL. In a working copy, non-null "val" @@ -394,7 +400,7 @@ static const internalPQconninfoOption PQconninfoOptions[] = { offsetof(struct pg_conn, oauth_client_id)}, {"oauth_client_secret", NULL, NULL, NULL, - "OAuth-Client-Secret", "", 40, + "OAuth-Client-Secret", "*", 40, offsetof(struct pg_conn, oauth_client_secret)}, {"oauth_scope", NULL, NULL, NULL,