From e974f1c2164bc677d55f98edaf99f80c0b6b89d9 Mon Sep 17 00:00:00 2001 From: Jacob Champion Date: Tue, 29 Apr 2025 13:08:55 -0700 Subject: [PATCH] oauth: Classify oauth_client_secret as a password Tell UIs to hide the value of oauth_client_secret, like the other passwords. Due to the previous commit, this does not affect postgres_fdw and dblink, but add a comment to try to warn others of the hazard in the future. Reported-by: Noah Misch Reviewed-by: Noah Misch Discussion: https://postgr.es/m/20250415191435.55.nmisch%40google.com --- src/interfaces/libpq/fe-connect.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/src/interfaces/libpq/fe-connect.c b/src/interfaces/libpq/fe-connect.c index bd51e6115cf..430c0fa4442 100644 --- a/src/interfaces/libpq/fe-connect.c +++ b/src/interfaces/libpq/fe-connect.c @@ -158,6 +158,12 @@ static int ldapServiceLookup(const char *purl, PQconninfoOption *options, * "*" Password field - hide value * "D" Debug option - don't show by default * + * NB: Server-side clients -- dblink, postgres_fdw, libpqrcv -- use dispchar to + * determine which options to expose to end users, and how. Changing dispchar + * has compatibility and security implications for those clients. For example, + * postgres_fdw will attach a "*" option to USER MAPPING instead of the default + * SERVER, and it disallows setting "D" options entirely. + * * PQconninfoOptions[] is a constant static array that we use to initialize * a dynamically allocated working copy. All the "val" fields in * PQconninfoOptions[] *must* be NULL. In a working copy, non-null "val" @@ -394,7 +400,7 @@ static const internalPQconninfoOption PQconninfoOptions[] = { offsetof(struct pg_conn, oauth_client_id)}, {"oauth_client_secret", NULL, NULL, NULL, - "OAuth-Client-Secret", "", 40, + "OAuth-Client-Secret", "*", 40, offsetof(struct pg_conn, oauth_client_secret)}, {"oauth_scope", NULL, NULL, NULL, -- 2.30.2