Re: Possible to store invalid SCRAM-SHA-256 Passwords
Tom Lane <tgl@sss.pgh.pa.us>
From: Tom Lane <tgl@sss.pgh.pa.us>
To: Michael Paquier <michael@paquier.xyz>
Cc: "Jonathan S. Katz" <jkatz@postgresql.org>,
pgsql-bugs@lists.postgresql.org,
Stephen Frost <sfrost@snowman.net>
Date: 2019-04-23T01:10:49Z
Lists: pgsql-bugs
Michael Paquier <michael@paquier.xyz> writes: > There is no point for the second strlen() check, as strspn does the > same work. Um, no --- the strspn call will count the number of bytes of hex data, but without also checking strlen, you don't know that there's not non-hex trailing junk. regards, tom lane
Commits
-
Fix detection of passwords hashed with MD5
- a82c06f4001d 9.4.22 landed
- 20dbc84bd002 9.5.17 landed
- af298f00a1e8 9.6.13 landed
-
Fix detection of passwords hashed with MD5 or SCRAM-SHA-256
- 15fe91e70ec6 10.8 landed
- 7f56d43663dd 11.3 landed
- ccae190b916f 12.0 landed