#23658 closed New feature (fixed)
Provide the password to PostgreSQL from "dbshell" command
Reported by: | Isaac Jurado | Owned by: | nobody |
---|---|---|---|
Component: | Database layer (models, ORM) | Version: | dev |
Severity: | Normal | Keywords: | postgresql dbshell |
Cc: | Loic Bistuer | Triage Stage: | Accepted |
Has patch: | yes | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | yes |
Easy pickings: | no | UI/UX: | no |
Description
With the PostgreSQL Django backend, if the database configuration defines a password, it is not used by the "dbshell" command. Unlike the "mysql" command, the "psql" command accepts the password through the process environment. It would be a more uniform experience if the PostgreSQL driver behaved the same.
Also note from the attached patch that "os.execvpe()" also works on Windows, so there's no need to distinguish between the two systems.
Attachments (1)
Change History (13)
by , 10 years ago
Attachment: | dbshell.diff added |
---|
comment:1 by , 10 years ago
comment:2 by , 10 years ago
Cc: | added |
---|---|
Easy pickings: | unset |
Needs documentation: | set |
Patch needs improvement: | set |
Triage Stage: | Unreviewed → Accepted |
UI/UX: | unset |
Version: | 1.7 → master |
+1 for this approach, marking as accepted.
From my understanding MySQL support the MYSQL_PWD
env var, wouldn't that work?
comment:3 by , 10 years ago
The mysql
command clobbers the password given in the command line, so I'm not sure if the MySQL backend needs to change it. Clobbering the process environment is also possible, just as hacky as doing it in argv
, however the password length is still leaked. PostgreSQL would need a patch for that, though.
On a side note, I just realized that there's no need to copy the os.environment
dictionary because the page table is going to be wiped out by os.execvp
anyway.
And finally, in the MySQL backend, the use of os.system
on Windows can also be removed. But that probably needs a separate patch.
comment:4 by , 10 years ago
I would like to point out the discussion we just had on http://bugs.debian.org/781033 : namely that PGPASSWD is a deprecated feature. The correct way to handle this would be to setup a temporary password file that is then passed to the PGPASSFILE environment variable.
http://www.postgresql.org/docs/9.0/interactive/libpq-envars.html
https://stackoverflow.com/questions/6523019/postgresql-scripting-psql-execution-with-password
comment:5 by , 10 years ago
I wrote a patch at https://github.com/django/django/pull/4392
Please review it.
comment:6 by , 10 years ago
Patch needs improvement: | unset |
---|
comment:7 by , 10 years ago
Patch needs improvement: | set |
---|
comment:8 by , 10 years ago
Needs documentation: | unset |
---|---|
Patch needs improvement: | unset |
comment:9 by , 10 years ago
Patch needs improvement: | set |
---|
Proposed fix.