Quick Links

Re: Possible to store invalid SCRAM-SHA-256 Passwords

From:	"Jonathan S(dot) Katz" <jkatz(at)postgresql(dot)org>
To:	Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Michael Paquier <michael(at)paquier(dot)xyz>
Cc:	pgsql-bugs(at)lists(dot)postgresql(dot)org, Stephen Frost <sfrost(at)snowman(dot)net>
Subject:	Re: Possible to store invalid SCRAM-SHA-256 Passwords
Date:	2019-04-23 01:16:49
Message-ID:	265876b8-1a72-89cd-bdcf-e641d93e166c@postgresql.org
Views:	Raw Message \| Whole Thread \| Download mbox \| Resend email
Thread:
Lists:	pgsql-bugs

On 4/22/19 9:10 PM, Tom Lane wrote:
> Michael Paquier <michael(at)paquier(dot)xyz> writes:
>> There is no point for the second strlen() check, as strspn does the
>> same work.
>
> Um, no --- the strspn call will count the number of bytes of hex
> data, but without also checking strlen, you don't know that there's
> not non-hex trailing junk.

+1; that's why I left the comparison in.

(e.g. "md512345678901234567890123456789012zzz" would pass without strlen).

Jonathan

In response to

Re: Possible to store invalid SCRAM-SHA-256 Passwords at 2019-04-23 01:10:49 from Tom Lane

Responses

Re: Possible to store invalid SCRAM-SHA-256 Passwords at 2019-04-23 02:10:18 from Michael Paquier

Browse pgsql-bugs by date

	From	Date	Subject
Next Message	Jonathan S. Katz	2019-04-23 01:26:01	Re: Possible to store invalid SCRAM-SHA-256 Passwords
Previous Message	Tom Lane	2019-04-23 01:10:49	Re: Possible to store invalid SCRAM-SHA-256 Passwords