BUG #16106: Patch - Radius secrets always gets lowercased

The Post Office <noreply@postgresql.org>

From: PG Bug reporting form <noreply@postgresql.org>
To: pgsql-bugs@lists.postgresql.org
Cc: mdavid@palantir.com
Date: 2019-11-11T18:01:35Z
Lists: pgsql-bugs
The following bug has been logged on the website:

Bug reference:      16106
Logged by:          Marcos David
Email address:      mdavid@palantir.com
PostgreSQL version: 12.0
Operating system:   Centos 7
Description:        

I'm using radius authentication in pg_hba.conf and I've run into the
following issue.

The radiussecrets is always getting lowercased even if I start it with
double quotes. Seems the double quotes are removed by the tokenization
process and then the secret gets lowercased by 
https://github.com/postgres/postgres/blob/REL_12_STABLE/src/backend/utils/adt/varlena.c#L3652

I'm attaching a  patch for this since I don't think the secrets should ever
be lowercased.


--- src/backend/libpq/hba.c.old	2019-11-08 16:42:27.934508368 +0000
+++ src/backend/libpq/hba.c	2019-11-08 16:43:12.069173627 +0000
@@ -2011,7 +2011,7 @@

 		REQUIRE_AUTH_OPTION(uaRADIUS, "radiussecrets", "radius");

-		if (!SplitIdentifierString(dupval, ',', &parsed_secrets))
+		if (!SplitGUCList(dupval, ',', &parsed_secrets))
 		{
 			/* syntax error in list */
 			ereport(elevel,
@@ -2033,7 +2033,7 @@

 		REQUIRE_AUTH_OPTION(uaRADIUS, "radiusidentifiers", "radius");

-		if (!SplitIdentifierString(dupval, ',', &parsed_identifiers))
+		if (!SplitGUCList(dupval, ',', &parsed_identifiers))
 		{
 			/* syntax error in list */
 			ereport(elevel,

Commits

  1. Avoid using SplitIdentifierString to parse ListenAddresses, too.

  2. Avoid downcasing/truncation of RADIUS authentication parameters.

  3. Support multiple RADIUS servers