BUG #10250: pgAdmin III 1.16.1 stores unescaped plaintext password
The following bug has been logged on the website:
Bug reference: 10250
Logged by: Ben Walter
Email address: dlo@isam.kiwi
PostgreSQL version: Unsupported/Unknown
Operating system: openSUSE 13.1 (Bottle) (x86_64)
Description:
When storing credentials for connections into ~/.pgpass the credentials is
stored in delimited plaintext form. Not only is this practise a security
risk, but when the credential contains the delimiter (colon) it fails to be
read back out and app responds with "invalid credentials".
x.x.x.x:5432:*:username:password:with:colons
--
Sent via pgsql-bugs mailing list (pgsql-bugs@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-bugs
Ben,
* dlo@isam.kiwi (dlo@isam.kiwi) wrote:
When storing credentials for connections into ~/.pgpass the credentials is
stored in delimited plaintext form. Not only is this practise a security
risk,
This isn't a bug, it's intentional, and if it goes against your security
requirements then simply don't do it. Storing it in .pgpass encrypted
would require a password to either be provided (in which case, just
don't have the password in the pgpass file..) or for the key to be
stored in plain-text somewhere, which would be the same situation.
Perhaps there is a feature request in here somewhere to have an
ssh-agent like daemon, but there simply hasn't been demand for it.
but when the credential contains the delimiter (colon) it fails to be
read back out and app responds with "invalid credentials".x.x.x.x:5432:*:username:password:with:colons
Per the fine documentation, you need to escape any such usage with a
backslash. Please review:
http://www.postgresql.org/docs/9.3/static/libpq-pgpass.html
Thanks,
Stephen
(forwarding to pgadmin-hackers)
On 05/07/2014 06:44 PM, Stephen Frost wrote:
* dlo@isam.kiwi (dlo@isam.kiwi) wrote:
but when the credential contains the delimiter (colon) it fails to be
read back out and app responds with "invalid credentials".x.x.x.x:5432:*:username:password:with:colons
Per the fine documentation, you need to escape any such usage with a
backslash. Please review:
Stephen, you missed the context. pgadmin3 saves .pgpass, when you check
the "store password" checkbox in the connection dialog. And apparantly
pgadmin3 doesn't do that escaping properly.
- Heikki
--
Sent via pgadmin-hackers mailing list (pgadmin-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgadmin-hackers
* Heikki Linnakangas (hlinnakangas@vmware.com) wrote:
(forwarding to pgadmin-hackers)
Ah.
On 05/07/2014 06:44 PM, Stephen Frost wrote:
* dlo@isam.kiwi (dlo@isam.kiwi) wrote:
but when the credential contains the delimiter (colon) it fails to be
read back out and app responds with "invalid credentials".x.x.x.x:5432:*:username:password:with:colons
Per the fine documentation, you need to escape any such usage with a
backslash. Please review:Stephen, you missed the context. pgadmin3 saves .pgpass, when you
check the "store password" checkbox in the connection dialog. And
apparantly pgadmin3 doesn't do that escaping properly.
Wow, that's pretty rough. Hopefully they'll be able to fix it soon. :)
Thanks,
Stephen
Akshay, can you look into the quoting problem please.
On Thu, May 8, 2014 at 1:07 AM, Stephen Frost <sfrost@snowman.net> wrote:
* Heikki Linnakangas (hlinnakangas@vmware.com) wrote:
(forwarding to pgadmin-hackers)
Ah.
On 05/07/2014 06:44 PM, Stephen Frost wrote:
* dlo@isam.kiwi (dlo@isam.kiwi) wrote:
but when the credential contains the delimiter (colon) it fails to be
read back out and app responds with "invalid credentials".x.x.x.x:5432:*:username:password:with:colons
Per the fine documentation, you need to escape any such usage with a
backslash. Please review:Stephen, you missed the context. pgadmin3 saves .pgpass, when you
check the "store password" checkbox in the connection dialog. And
apparantly pgadmin3 doesn't do that escaping properly.Wow, that's pretty rough. Hopefully they'll be able to fix it soon. :)
Thanks,
Stephen
--
Dave Page
Blog: http://pgsnake.blogspot.com
Twitter: @pgsnake
EnterpriseDB UK: http://www.enterprisedb.com
The Enterprise PostgreSQL Company
--
Sent via pgadmin-hackers mailing list (pgadmin-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgadmin-hackers
Sure.
On Thu, May 8, 2014 at 1:37 PM, Dave Page <dpage@pgadmin.org> wrote:
Akshay, can you look into the quoting problem please.
On Thu, May 8, 2014 at 1:07 AM, Stephen Frost <sfrost@snowman.net> wrote:
* Heikki Linnakangas (hlinnakangas@vmware.com) wrote:
(forwarding to pgadmin-hackers)
Ah.
On 05/07/2014 06:44 PM, Stephen Frost wrote:
* dlo@isam.kiwi (dlo@isam.kiwi) wrote:
but when the credential contains the delimiter (colon) it fails to be
read back out and app responds with "invalid credentials".x.x.x.x:5432:*:username:password:with:colons
Per the fine documentation, you need to escape any such usage with a
backslash. Please review:Stephen, you missed the context. pgadmin3 saves .pgpass, when you
check the "store password" checkbox in the connection dialog. And
apparantly pgadmin3 doesn't do that escaping properly.Wow, that's pretty rough. Hopefully they'll be able to fix it soon. :)
Thanks,
Stephen
--
Dave Page
Blog: http://pgsnake.blogspot.com
Twitter: @pgsnakeEnterpriseDB UK: http://www.enterprisedb.com
The Enterprise PostgreSQL Company
--
*Akshay Joshi*
*Principal Software Engineer *
*Phone: +91 20-3058-9517Mobile: +91 976-788-8246*
Hi Dave
I have fixed the escaping issue and tested it. It works fine for me.
Attached is the patch file, can you please review it.
If code looks good to you, can you please commit the code.
On Thu, May 8, 2014 at 2:34 PM, Akshay Joshi
<akshay.joshi@enterprisedb.com>wrote:
Sure.
On Thu, May 8, 2014 at 1:37 PM, Dave Page <dpage@pgadmin.org> wrote:
Akshay, can you look into the quoting problem please.
On Thu, May 8, 2014 at 1:07 AM, Stephen Frost <sfrost@snowman.net> wrote:
* Heikki Linnakangas (hlinnakangas@vmware.com) wrote:
(forwarding to pgadmin-hackers)
Ah.
On 05/07/2014 06:44 PM, Stephen Frost wrote:
* dlo@isam.kiwi (dlo@isam.kiwi) wrote:
but when the credential contains the delimiter (colon) it fails to be
read back out and app responds with "invalid credentials".x.x.x.x:5432:*:username:password:with:colons
Per the fine documentation, you need to escape any such usage with a
backslash. Please review:Stephen, you missed the context. pgadmin3 saves .pgpass, when you
check the "store password" checkbox in the connection dialog. And
apparantly pgadmin3 doesn't do that escaping properly.Wow, that's pretty rough. Hopefully they'll be able to fix it soon. :)
Thanks,
Stephen
--
Dave Page
Blog: http://pgsnake.blogspot.com
Twitter: @pgsnakeEnterpriseDB UK: http://www.enterprisedb.com
The Enterprise PostgreSQL Company--
*Akshay Joshi*
*Principal Software Engineer **Phone: +91 20-3058-9517 Mobile: +91 976-788-8246*
--
*Akshay Joshi*
*Principal Software Engineer *
*Phone: +91 20-3058-9517Mobile: +91 976-788-8246*
Attachments:
Fixed_unescaped_password.patchapplication/octet-stream; name=Fixed_unescaped_password.patchDownload+67-12
Thanks Akshay. Dhiraj, can you review please? I'm a little busy right now.
Thanks.
On Thu, May 15, 2014 at 7:39 AM, Akshay Joshi <akshay.joshi@enterprisedb.com
wrote:
Hi Dave
I have fixed the escaping issue and tested it. It works fine for me.
Attached is the patch file, can you please review it.
If code looks good to you, can you please commit the code.On Thu, May 8, 2014 at 2:34 PM, Akshay Joshi <
akshay.joshi@enterprisedb.com> wrote:Sure.
On Thu, May 8, 2014 at 1:37 PM, Dave Page <dpage@pgadmin.org> wrote:
Akshay, can you look into the quoting problem please.
On Thu, May 8, 2014 at 1:07 AM, Stephen Frost <sfrost@snowman.net>
wrote:* Heikki Linnakangas (hlinnakangas@vmware.com) wrote:
(forwarding to pgadmin-hackers)
Ah.
On 05/07/2014 06:44 PM, Stephen Frost wrote:
* dlo@isam.kiwi (dlo@isam.kiwi) wrote:
but when the credential contains the delimiter (colon) it fails to
be
read back out and app responds with "invalid credentials".
x.x.x.x:5432:*:username:password:with:colons
Per the fine documentation, you need to escape any such usage with a
backslash. Please review:Stephen, you missed the context. pgadmin3 saves .pgpass, when you
check the "store password" checkbox in the connection dialog. And
apparantly pgadmin3 doesn't do that escaping properly.Wow, that's pretty rough. Hopefully they'll be able to fix it soon. :)
Thanks,
Stephen
--
Dave Page
Blog: http://pgsnake.blogspot.com
Twitter: @pgsnakeEnterpriseDB UK: http://www.enterprisedb.com
The Enterprise PostgreSQL Company--
*Akshay Joshi*
*Principal Software Engineer **Phone: +91 20-3058-9517 <%2B91%2020-3058-9517> Mobile: +91 976-788-8246
<%2B91%20976-788-8246>*--
*Akshay Joshi*
*Principal Software Engineer **Phone: +91 20-3058-9517 <%2B91%2020-3058-9517> Mobile: +91 976-788-8246
<%2B91%20976-788-8246>*
--
Dave Page
Blog: http://pgsnake.blogspot.com
Twitter: @pgsnake
EnterpriseDB UK: http://www.enterprisedb.com
The Enterprise PostgreSQL Company
Attachments:
Fixed_unescaped_password.patchapplication/octet-stream; name=Fixed_unescaped_password.patchDownload+67-12
Sure Dave. I will review the patch and update accordingly.
regards,
*Dhiraj Chawla*
Senior Software Engineer
EnterpriseDB Corporation
The Enterprise PostgreSQL Company
Phone: +91-20-30589522
On Fri, May 16, 2014 at 1:53 PM, Dave Page <dpage@pgadmin.org> wrote:
Show quoted text
Thanks Akshay. Dhiraj, can you review please? I'm a little busy right now.
Thanks.
On Thu, May 15, 2014 at 7:39 AM, Akshay Joshi <
akshay.joshi@enterprisedb.com> wrote:Hi Dave
I have fixed the escaping issue and tested it. It works fine for me.
Attached is the patch file, can you please review it.
If code looks good to you, can you please commit the code.On Thu, May 8, 2014 at 2:34 PM, Akshay Joshi <
akshay.joshi@enterprisedb.com> wrote:Sure.
On Thu, May 8, 2014 at 1:37 PM, Dave Page <dpage@pgadmin.org> wrote:
Akshay, can you look into the quoting problem please.
On Thu, May 8, 2014 at 1:07 AM, Stephen Frost <sfrost@snowman.net>
wrote:* Heikki Linnakangas (hlinnakangas@vmware.com) wrote:
(forwarding to pgadmin-hackers)
Ah.
On 05/07/2014 06:44 PM, Stephen Frost wrote:
* dlo@isam.kiwi (dlo@isam.kiwi) wrote:
but when the credential contains the delimiter (colon) it fails to
be
read back out and app responds with "invalid credentials".
x.x.x.x:5432:*:username:password:with:colons
Per the fine documentation, you need to escape any such usage with a
backslash. Please review:Stephen, you missed the context. pgadmin3 saves .pgpass, when you
check the "store password" checkbox in the connection dialog. And
apparantly pgadmin3 doesn't do that escaping properly.Wow, that's pretty rough. Hopefully they'll be able to fix it soon.
:)
Thanks,
Stephen
--
Dave Page
Blog: http://pgsnake.blogspot.com
Twitter: @pgsnakeEnterpriseDB UK: http://www.enterprisedb.com
The Enterprise PostgreSQL Company--
*Akshay Joshi*
*Principal Software Engineer **Phone: +91 20-3058-9517 <%2B91%2020-3058-9517> Mobile: +91 976-788-8246
<%2B91%20976-788-8246>*--
*Akshay Joshi*
*Principal Software Engineer **Phone: +91 20-3058-9517 <%2B91%2020-3058-9517> Mobile: +91 976-788-8246
<%2B91%20976-788-8246>*--
Dave Page
Blog: http://pgsnake.blogspot.com
Twitter: @pgsnakeEnterpriseDB UK: http://www.enterprisedb.com
The Enterprise PostgreSQL Company
Hi Akshay,
I have reviewed the patch and tested it as well on the Linux platform. The
patch looks good to me. It is working as expected.
regards,
*Dhiraj Chawla*
Senior Software Engineer
EnterpriseDB Corporation
The Enterprise PostgreSQL Company
Phone: +91-20-30589522
On Tue, May 20, 2014 at 5:58 PM, Dhiraj Chawla <
dhiraj.chawla@enterprisedb.com> wrote:
Show quoted text
Sure Dave. I will review the patch and update accordingly.
regards,
*Dhiraj Chawla*
Senior Software Engineer
EnterpriseDB Corporation
The Enterprise PostgreSQL CompanyPhone: +91-20-30589522
On Fri, May 16, 2014 at 1:53 PM, Dave Page <dpage@pgadmin.org> wrote:
Thanks Akshay. Dhiraj, can you review please? I'm a little busy right now.
Thanks.
On Thu, May 15, 2014 at 7:39 AM, Akshay Joshi <
akshay.joshi@enterprisedb.com> wrote:Hi Dave
I have fixed the escaping issue and tested it. It works fine for me.
Attached is the patch file, can you please review it.
If code looks good to you, can you please commit the code.On Thu, May 8, 2014 at 2:34 PM, Akshay Joshi <
akshay.joshi@enterprisedb.com> wrote:Sure.
On Thu, May 8, 2014 at 1:37 PM, Dave Page <dpage@pgadmin.org> wrote:
Akshay, can you look into the quoting problem please.
On Thu, May 8, 2014 at 1:07 AM, Stephen Frost <sfrost@snowman.net>
wrote:* Heikki Linnakangas (hlinnakangas@vmware.com) wrote:
(forwarding to pgadmin-hackers)
Ah.
On 05/07/2014 06:44 PM, Stephen Frost wrote:
* dlo@isam.kiwi (dlo@isam.kiwi) wrote:
but when the credential contains the delimiter (colon) it fails
to be
read back out and app responds with "invalid credentials".
x.x.x.x:5432:*:username:password:with:colons
Per the fine documentation, you need to escape any such usage with
a
backslash. Please review:
Stephen, you missed the context. pgadmin3 saves .pgpass, when you
check the "store password" checkbox in the connection dialog. And
apparantly pgadmin3 doesn't do that escaping properly.Wow, that's pretty rough. Hopefully they'll be able to fix it soon.
:)
Thanks,
Stephen
--
Dave Page
Blog: http://pgsnake.blogspot.com
Twitter: @pgsnakeEnterpriseDB UK: http://www.enterprisedb.com
The Enterprise PostgreSQL Company--
*Akshay Joshi*
*Principal Software Engineer **Phone: +91 20-3058-9517 <%2B91%2020-3058-9517> Mobile: +91
976-788-8246 <%2B91%20976-788-8246>*--
*Akshay Joshi*
*Principal Software Engineer **Phone: +91 20-3058-9517 <%2B91%2020-3058-9517> Mobile: +91 976-788-8246
<%2B91%20976-788-8246>*--
Dave Page
Blog: http://pgsnake.blogspot.com
Twitter: @pgsnakeEnterpriseDB UK: http://www.enterprisedb.com
The Enterprise PostgreSQL Company
Thanks - patch applied.
On Thu, May 22, 2014 at 6:17 AM, Dhiraj Chawla <
dhiraj.chawla@enterprisedb.com> wrote:
Hi Akshay,
I have reviewed the patch and tested it as well on the Linux platform. The
patch looks good to me. It is working as expected.regards,
*Dhiraj Chawla*
Senior Software Engineer
EnterpriseDB Corporation
The Enterprise PostgreSQL CompanyPhone: +91-20-30589522
On Tue, May 20, 2014 at 5:58 PM, Dhiraj Chawla <
dhiraj.chawla@enterprisedb.com> wrote:Sure Dave. I will review the patch and update accordingly.
regards,
*Dhiraj Chawla*
Senior Software Engineer
EnterpriseDB Corporation
The Enterprise PostgreSQL CompanyPhone: +91-20-30589522
On Fri, May 16, 2014 at 1:53 PM, Dave Page <dpage@pgadmin.org> wrote:
Thanks Akshay. Dhiraj, can you review please? I'm a little busy right
now.Thanks.
On Thu, May 15, 2014 at 7:39 AM, Akshay Joshi <
akshay.joshi@enterprisedb.com> wrote:Hi Dave
I have fixed the escaping issue and tested it. It works fine for me.
Attached is the patch file, can you please review it.
If code looks good to you, can you please commit the code.On Thu, May 8, 2014 at 2:34 PM, Akshay Joshi <
akshay.joshi@enterprisedb.com> wrote:Sure.
On Thu, May 8, 2014 at 1:37 PM, Dave Page <dpage@pgadmin.org> wrote:
Akshay, can you look into the quoting problem please.
On Thu, May 8, 2014 at 1:07 AM, Stephen Frost <sfrost@snowman.net>
wrote:* Heikki Linnakangas (hlinnakangas@vmware.com) wrote:
(forwarding to pgadmin-hackers)
Ah.
On 05/07/2014 06:44 PM, Stephen Frost wrote:
* dlo@isam.kiwi (dlo@isam.kiwi) wrote:
but when the credential contains the delimiter (colon) it fails
to be
read back out and app responds with "invalid credentials".
x.x.x.x:5432:*:username:password:with:colons
Per the fine documentation, you need to escape any such usage
with a
backslash. Please review:
Stephen, you missed the context. pgadmin3 saves .pgpass, when you
check the "store password" checkbox in the connection dialog. And
apparantly pgadmin3 doesn't do that escaping properly.Wow, that's pretty rough. Hopefully they'll be able to fix it
soon. :)
Thanks,
Stephen
--
Dave Page
Blog: http://pgsnake.blogspot.com
Twitter: @pgsnakeEnterpriseDB UK: http://www.enterprisedb.com
The Enterprise PostgreSQL Company--
*Akshay Joshi*
*Principal Software Engineer **Phone: +91 20-3058-9517 <%2B91%2020-3058-9517> Mobile: +91
976-788-8246 <%2B91%20976-788-8246>*--
*Akshay Joshi*
*Principal Software Engineer **Phone: +91 20-3058-9517 <%2B91%2020-3058-9517> Mobile: +91
976-788-8246 <%2B91%20976-788-8246>*--
Dave Page
Blog: http://pgsnake.blogspot.com
Twitter: @pgsnakeEnterpriseDB UK: http://www.enterprisedb.com
The Enterprise PostgreSQL Company
--
Dave Page
Blog: http://pgsnake.blogspot.com
Twitter: @pgsnake
EnterpriseDB UK: http://www.enterprisedb.com
The Enterprise PostgreSQL Company