Add explicit warnings about unsafe OAuth trace output for libpq
Hello
This is based on earlier messages in the thread about OAUTHDEBUG splitting[1]/messages/by-id/CAOYmi+kfw76zPa-tZPNs4KjxwthGLkQfpGyoKzMMy8_oNJz4DQ@mail.gmail.com:
With the same logic, shouldn't we print a very visible warning when
somebody enables trace? Since it's a long output, maybe to both the
beginning and end of the flow?I'm more than happy to strengthen this as well, but let's kick that
out to its own thread, especially if pieces are backpatchable.
The documentation already mentions that this option is unsafe because
it prints out the HTTP traffic as-is, including secrets, but the
output itself lacks a warning about it.
Because the output is long, users might not notice that copy-pasting
it or saving it to disk will share sensitive information. To increase
visibility, this patch adds a warning to both the beginning and the
end of the output.
I also attached a version for 18, since this seems to be a useful
change to backport. With the recent changes this is slightly different
on 19.
[1]: /messages/by-id/CAOYmi+kfw76zPa-tZPNs4KjxwthGLkQfpGyoKzMMy8_oNJz4DQ@mail.gmail.com
Attachments:
rel18-0001-libpq-oauth-Warn-when-PGOAUTHDEBUG-trace-may-expose-.patchapplication/octet-stream; name=rel18-0001-libpq-oauth-Warn-when-PGOAUTHDEBUG-trace-may-expose-.patchDownload+9-1
0001-libpq-oauth-Warn-when-PGOAUTHDEBUG-trace-may-expose-.patchapplication/octet-stream; name=0001-libpq-oauth-Warn-when-PGOAUTHDEBUG-trace-may-expose-.patchDownload+9-1
Hello
I have re-attached the same patches with simplified commit messages,
and I also marked the PG18 version with nocfbot so the master version
can apply correctly.
Show quoted text
On Tue, Apr 7, 2026 at 7:28 PM Zsolt Parragi <zsolt.parragi@percona.com> wrote:
Hello
This is based on earlier messages in the thread about OAUTHDEBUG splitting[1]:
With the same logic, shouldn't we print a very visible warning when
somebody enables trace? Since it's a long output, maybe to both the
beginning and end of the flow?I'm more than happy to strengthen this as well, but let's kick that
out to its own thread, especially if pieces are backpatchable.The documentation already mentions that this option is unsafe because
it prints out the HTTP traffic as-is, including secrets, but the
output itself lacks a warning about it.Because the output is long, users might not notice that copy-pasting
it or saving it to disk will share sensitive information. To increase
visibility, this patch adds a warning to both the beginning and the
end of the output.I also attached a version for 18, since this seems to be a useful
change to backport. With the recent changes this is slightly different
on 19.[1]: /messages/by-id/CAOYmi+kfw76zPa-tZPNs4KjxwthGLkQfpGyoKzMMy8_oNJz4DQ@mail.gmail.com