Re: chkpass Major Issue - compares 'contains' and not 'equal'

Tom Lane <tgl@sss.pgh.pa.us>

From: Tom Lane <tgl@sss.pgh.pa.us>
To: Eyedia Tech <eyedia@debjyoti.com>
Cc: pgsql-bugs@postgresql.org
Date: 2018-06-07T14:14:54Z
Lists: pgsql-bugs
Eyedia Tech <eyedia@debjyoti.com> writes:
> To replicate use this:
> create table "user" (uname text, password chkpass);
> insert into "user" values ('user1', 'password')
> select * from "user" where uname = 'user1' and password = 'password1'

That would depend on the behavior of your local version of crypt(3),
but historically, that library function uses only the first eight
characters of the password, which explains this example.

> This is a major issue.

We're not going to treat it as such.  It's clearly documented, see

https://www.postgresql.org/docs/current/static/chkpass.html

FWIW, chkpass is deprecated and has been removed entirely as of PG 11.
It has a lot of design problems above and beyond its reliance on a
40-year-old encryption spec.

			regards, tom lane