Re: Possible to store invalid SCRAM-SHA-256 Passwords

Tom Lane <tgl@sss.pgh.pa.us>

From: Tom Lane <tgl@sss.pgh.pa.us>
To: Michael Paquier <michael@paquier.xyz>
Cc: "Jonathan S. Katz" <jkatz@postgresql.org>, pgsql-bugs@lists.postgresql.org, Stephen Frost <sfrost@snowman.net>
Date: 2019-04-23T01:10:49Z
Lists: pgsql-bugs
Michael Paquier <michael@paquier.xyz> writes:
> There is no point for the second strlen() check, as strspn does the
> same work.

Um, no --- the strspn call will count the number of bytes of hex
data, but without also checking strlen, you don't know that there's
not non-hex trailing junk.

			regards, tom lane



Commits

  1. Fix detection of passwords hashed with MD5

  2. Fix detection of passwords hashed with MD5 or SCRAM-SHA-256