Monday, September 22, 2008

Re: [HACKERS] [patch] fix dblink security hole

Tom Lane wrote:
> Joe Conway <> writes:
>> Tom Lane wrote:
>>> No, the test to see if the server actually *asked* for the password is
>>> the important part at that end.
>> Oh, I see that now. So yes, as far as I can tell, password_from_string
>> is not used for anything anymore and should be removed.
> Okay. I just committed the patch without that change, but I'll go back
> and add it.

I'm not quite sure I fully understand the consequence of this change.
Does it basically mean that it's not possible to use .pgpass with dblink
for authentication?
The alternative then would be to hardcode the password in your stored
procedures, or store it in a separate table somehow?

Tommy Gildseth

Sent via pgsql-hackers mailing list (
To make changes to your subscription:

No comments: