Re: chkpass Major Issue - compares 'contains' and not 'equal'
David G. Johnston <david.g.johnston@gmail.com>
From: "David G. Johnston" <david.g.johnston@gmail.com>
To: Eyedia Tech <eyedia@debjyoti.com>
Cc: "pgsql-bugs@postgresql.org" <pgsql-bugs@postgresql.org>,
"darcy@druid.net" <darcy@druid.net>
Date: 2018-06-07T14:09:24Z
Lists: pgsql-bugs
On Thursday, June 7, 2018, Eyedia Tech <eyedia@debjyoti.com> wrote:
> To replicate use this:
>
> create table "user" (uname text, password chkpass);
> insert into "user" values ('user1', 'password')
> select * from "user" where uname = 'user1' and password = 'password1'
>
> This is a major issue.
>
It is also a documented limitation.
The encryption uses the standard Unix function crypt(), and so it suffers
from all the usual limitations of that function; notably that only the
first eight characters of a password are considered.
https://www.postgresql.org/docs/10/static/chkpass.html
At this point I'd consider its presence here for backward compatibility
only and as such the behavior is not something that is likely to be changed.
David J.