Re: Possible to store invalid SCRAM-SHA-256 Passwords
Michael Paquier <michael@paquier.xyz>
From: Michael Paquier <michael@paquier.xyz>
To: "Jonathan S. Katz" <jkatz@postgresql.org>
Cc: Tom Lane <tgl@sss.pgh.pa.us>, pgsql-bugs@lists.postgresql.org, Stephen Frost <sfrost@snowman.net>
Date: 2019-04-23T02:10:18Z
Lists: pgsql-bugs
On Mon, Apr 22, 2019 at 09:16:49PM -0400, Jonathan S. Katz wrote: > +1; that's why I left the comparison in. > > (e.g. "md512345678901234567890123456789012zzz" would pass without strlen). That's a hard morning... Yes you are right and I can see the failure. By the way, grouping everything in one patch looks more adapted to me as this tightens all the checks for the different verifier types. -- Michael
Commits
-
Fix detection of passwords hashed with MD5
- a82c06f4001d 9.4.22 landed
- 20dbc84bd002 9.5.17 landed
- af298f00a1e8 9.6.13 landed
-
Fix detection of passwords hashed with MD5 or SCRAM-SHA-256
- 15fe91e70ec6 10.8 landed
- 7f56d43663dd 11.3 landed
- ccae190b916f 12.0 landed