On Thu, Jun 20, 2019 at 05:22:20PM +0200, Shay Rojansky wrote: > It seems generally agreed that all data from the database should be > considered potentially sensitive and should therefore not be leaked in log > messages - unless an explicit, informed opt-in is done. It is extremely > easy to imagine a (poorly-written) UI or web application which simply > surfaces database exceptions, allowing attackers to potentially extract > data from the database. In the worst case, passwords and other auth > information may get exposed in this way, but even any sort of personal > information is a big problem. > > It seems worth at least having a conversation about it... Sure, but we are currently exploring whether the database reflects any values that it had not been given by the same user beforehand. There might be another scenario: user enters value for column 1 app adds in secret-to-the-user value for column 2 UPDATE fails error message reflects val 1 and secret val 2 app displays both values user knows secret value 2 but I don't see how PostgreSQL can do anything *reasonable* about that short of sitting tight-and-mum and not reflect much of *anything* beyond "error". And even that can be a side channel. Karsten -- GPG 40BE 5B0E C98E 1713 AFA6 5BC0 3BEA AC80 7D4F C89B