> More generally: I find this complaint a little confusing. We did not > consider reporting the "show row contents" DETAIL to the client to be a > security hazard when it was added, because one would think that that's > just data that the client already knows anyway. I'd be interested to see > a plausible use-case in which the message would reflect PII that had not > been supplied by or available to the client.
I had the same issue in pgaudit which was spilling PHI data in PG logs which we were feeding to sumologic. I had to write a python masking program to strip out literal values from the PG log.
