From: | "Jeroen T(dot) Vermeulen" <jtv(at)xs4all(dot)nl> |
---|---|
To: | "Tom Lane" <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
Cc: | pgsql-hackers(at)postgresql(dot)org |
Subject: | Re: PQencryptPassword() and encoding |
Date: | 2006-12-20 05:39:24 |
Message-ID: | 12713.61.7.248.130.1166593164.squirrel@webmail.xs4all.nl |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On Wed, December 20, 2006 11:08, Tom Lane wrote:
> "Jeroen T. Vermeulen" <jtv(at)xs4all(dot)nl> writes:
>> Probably a silly question, but better safe than sorry:
>> AFAICS there's no way for PQencryptPassword() to see what encoding
>> applies. Are we quite sure that that is not a problem?
>
> Right offhand it seems that the worst possible consequence is
> authentication failure: you originally entered your password
> as foobar in encoding X, and then when you enter foobar in
> encoding Y, you get the raspberry. Do you see something else?
That's definitely the first thing that springs to mind. I don't suppose
the problems we had with escaping could happen here, and there probably
aren't any security implications.
Getting different password hashes depending on your client encoding would
probably not hit a lot of people, but it would be annoying and hard to
debug where it did happen. If it can happen in the first place, that is,
which is what I'm asking.
Jeroen
From | Date | Subject | |
---|---|---|---|
Next Message | Jonah H. Harris | 2006-12-20 05:50:40 | Re: effective_cache_size vs units |
Previous Message | Jonah H. Harris | 2006-12-20 05:37:32 | Re: Companies Contributing to Open Source |