Re: chkpass Major Issue - compares 'contains' and not 'equal'

David G. Johnston <david.g.johnston@gmail.com>

From: "David G. Johnston" <david.g.johnston@gmail.com>
To: Eyedia Tech <eyedia@debjyoti.com>
Cc: "pgsql-bugs@postgresql.org" <pgsql-bugs@postgresql.org>, "darcy@druid.net" <darcy@druid.net>
Date: 2018-06-07T14:09:24Z
Lists: pgsql-bugs
On Thursday, June 7, 2018, Eyedia Tech <eyedia@debjyoti.com> wrote:

> To replicate use this:
>
> create table "user" (uname text, password chkpass);
> insert into "user" values ('user1', 'password')
> select * from "user" where uname = 'user1' and password = 'password1'
>
> This is a major issue.
>

It is also a documented limitation.

The encryption uses the standard Unix function crypt(), and so it suffers
from all the usual limitations of that function; notably that only the
first eight characters of a password are considered.

https://www.postgresql.org/docs/10/static/chkpass.html

At this point I'd consider its presence here for backward compatibility
only and as such the behavior is not something that is likely to be changed.

David J.