Re: Possible to store invalid SCRAM-SHA-256 Passwords

Jonathan S. Katz <jkatz@postgresql.org>

From: "Jonathan S. Katz" <jkatz@postgresql.org>
To: Michael Paquier <michael@paquier.xyz>
Cc: Tom Lane <tgl@sss.pgh.pa.us>, pgsql-bugs@lists.postgresql.org, Stephen Frost <sfrost@snowman.net>
Date: 2019-04-23T01:26:01Z
Lists: pgsql-bugs
On 4/22/19 9:01 PM, Michael Paquier wrote:

> 
> Also, the extra SELECT query with regexp_replace() is a bit overkill
> for the purpose, and copying again a copy of the regexp around is no
> fun.
> 
> In short, I would simplify things as the attached.  What do you think?

Outside of the strlen comments, I do like the changes to the tests, +1

I did purposely keep the SCRAM + MD5 changes as separate patches as I
felt they were both atomic, but I have no strong opinions on that.

Thanks,

Jonathan

Commits

  1. Fix detection of passwords hashed with MD5

  2. Fix detection of passwords hashed with MD5 or SCRAM-SHA-256