Quick Links

Re: Possible to store invalid SCRAM-SHA-256 Passwords

From:	Michael Paquier <michael(at)paquier(dot)xyz>
To:	"Jonathan S(dot) Katz" <jkatz(at)postgresql(dot)org>
Cc:	Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, pgsql-bugs(at)lists(dot)postgresql(dot)org, Stephen Frost <sfrost(at)snowman(dot)net>
Subject:	Re: Possible to store invalid SCRAM-SHA-256 Passwords
Date:	2019-04-23 02:10:18
Message-ID:	20190423021018.GF2712@paquier.xyz
Views:	Raw Message \| Whole Thread \| Download mbox \| Resend email
Thread:
Lists:	pgsql-bugs

On Mon, Apr 22, 2019 at 09:16:49PM -0400, Jonathan S. Katz wrote:
> +1; that's why I left the comparison in.
>
> (e.g. "md512345678901234567890123456789012zzz" would pass without strlen).

That's a hard morning... Yes you are right and I can see the failure.
By the way, grouping everything in one patch looks more adapted to me
as this tightens all the checks for the different verifier types.
--
Michael

In response to

Re: Possible to store invalid SCRAM-SHA-256 Passwords at 2019-04-23 01:16:49 from Jonathan S. Katz

Responses

Re: Possible to store invalid SCRAM-SHA-256 Passwords at 2019-04-23 06:57:01 from Michael Paquier

Browse pgsql-bugs by date

	From	Date	Subject
Next Message	PG Bug reporting form	2019-04-23 03:19:21	BUG #15775: pg_get_indexdef: could not open relation with OID 16385
Previous Message	Tom Lane	2019-04-23 01:28:19	Re: Possible to store invalid SCRAM-SHA-256 Passwords