Re: BUG #16106: Patch - Radius secrets always gets lowercased
Tom Lane <tgl@sss.pgh.pa.us>
From: Tom Lane <tgl@sss.pgh.pa.us>
To: mdavid@palantir.com
Cc: pgsql-bugs@lists.postgresql.org
Date: 2019-11-11T20:23:07Z
Lists: pgsql-bugs
PG Bug reporting form <noreply@postgresql.org> writes: > I'm using radius authentication in pg_hba.conf and I've run into the > following issue. > The radiussecrets is always getting lowercased even if I start it with > double quotes. Seems the double quotes are removed by the tokenization > process and then the secret gets lowercased by > https://github.com/postgres/postgres/blob/REL_12_STABLE/src/backend/utils/adt/varlena.c#L3652 > I'm attaching a patch for this since I don't think the secrets should ever > be lowercased. Hm. I know zip about RADIUS but this seems like generally a sane change to make. The other very-dubious-in-this-context assumption that is embedded in SplitIdentifierString is that the strings should be truncated at NAMEDATALEN. Why did you not change the parsing for all four RADIUS options? Probably case-folding wouldn't matter for the server names, but the length limitation could. (Hmm ... on the same principle, PostmasterMain probably shouldn't be using this function for parsing ListenAddresses.) I'm hesitant to back-patch a change like this, because in theory it could change a working configuration into a non-working one. But it'd be sensible to do in HEAD. regards, tom lane
Commits
-
Avoid using SplitIdentifierString to parse ListenAddresses, too.
- 7bf40ea0d028 13.0 landed
-
Avoid downcasing/truncation of RADIUS authentication parameters.
- d9802590a1b3 12.2 landed
- d66e68207e99 11.7 landed
- 7618eaf5f315 13.0 landed
- 4be69e2ea14d 10.12 landed
-
Support multiple RADIUS servers
- 6b76f1bb58f5 10.0 cited