Re: BUG #6412: psql & fe-connect truncate passwords

On Sat, Jan 28, 2012 at 11:55 AM, Euler Taveira de Oliveira
<euler(at)timbira(dot)com> wrote:
> On 27-01-2012 23:15, agrimm(at)gmail(dot)com wrote:
>> When psql prompts for a password, it only reads the first 100 characters of
>> the password.  The limit in fe-connect.c (for when .pgpass is used) is
>> weirder, a seemingly arbitrary 320 bytes for all fields combined.  Other
>> (postgresql-jdbc, PyGreSQL, etc.) have no problem with a 512-byte password.
>> It would be nice to have these limits controlled by a constant, and for the
>> command to give an error or warning when a password is truncated.
>>
> I don't see it as a bug but a limitation.

First, thank you for the quick response.

IMHO, there is a subtle difference here. If psql raised an error
message on passwords exceeding 100 characters, I would understand your
perspective, but I think that simply truncating the password and
continuing on is a bug. I also think that hard-coding the number
"100" in several places is simply poor practice which should be
corrected, and that if there's good reason for that to be the password
length limit, it should be uniformly enforced.

Regardless, of whether it's a bug or feature, though, the fixes are
trivial, so I'm not sure what a strong argument _against_ the changes
would be.

>Why do you need such a long
> password?

The password is not of my choosing. It's an autogenerated sha hash of
an RSA key, and i've simply been the key to use.
While I agree that it's generally impractical to use such a long
password at the command line, more than 99% of the use of this
password is programmatic, and if I complain to the author that the
password is too long, he'll respond "it works for me with JDBC; you
are using broken tools.

> If you are not comfortable with this reasonable limit, look at
> fe-connect.c -> PasswordFromFile() and change the LINELEN. More to the point,
> AFAICS all of the PostgreSQL client prompts are limited to 100 bytes (look at
> simple_prompt function); letting 220 bytes for host, port, database, and user.

I looked at the code before I wrote up the issue, and I have written
and tested a patch. I've posted it here:

https://bugzilla.redhat.com/attachment.cgi?id=558061

As you might expect, it simply defines a constant called PASSWDLEN and
uses that in the calls to simple_prompt, as well as in initdb's
reading of pwfile (which inexplicably uses MAXPGPATH as the maximum
password length today).

Perhaps I should just submit the patch to pgsql-hackers ? I'm new to
the pgsql bug interaction process, so my apologies if filing a bug was
not the appropriate way to present the issue. I get Internal Server
Error messages when I attempt to subscribe to any of the pgsql mailing
lists, so this makes communication with the lists difficult.

--Andy

> --
>   Euler Taveira de Oliveira - Timbira       http://www.timbira.com.br/
>   PostgreSQL: Consultoria, Desenvolvimento, Suporte 24x7 e Treinamento