| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | liulang <lang(dot)liu(at)esgyn(dot)cn> |
| Cc: | pgsql-bugs(at)lists(dot)postgresql(dot)org |
| Subject: | Re: lost status 'STATUS_EOF' for authentication when using 'MD5' or 'scram-sha-256' |
| Date: | 2024-01-02 20:28:40 |
| Message-ID: | 12829.1704227320@sss.pgh.pa.us |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs |
liulang <lang(dot)liu(at)esgyn(dot)cn> writes:
> The above code does not affect the database execution,but
> ClientAuthentication_hook will be confused whether the password is
> incorrect or not currently entered?
> so.. The CheckPWChallengeAuth should returns STATUS_EOF when It is, I think.
Yeah, I think you are right. Overriding the subroutine's result
here is mistaken, even without considering whether it confuses any
ClientAuthentication_hook. The whole point, as per the comments,
is to not betray to the remote end whether or not there is a user
with a password set. But if we substitute STATUS_ERROR for
STATUS_EOF then we cause exactly that to happen: if the remote closes
the connection for send only, it can tell by whether an error comes
back whether or not the code found a password.
I think we can do it more simply than you suggest though. Just
drop the "return STATUS_ERROR" bit; the Assert is enough.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Amadeo Gallardo | 2024-01-02 23:48:58 | Re: Postgres 16.1 - Bug: cache entry already complete |
| Previous Message | Amadeo Gallardo | 2024-01-02 19:51:07 | Re: Postgres 16.1 - Bug: cache entry already complete |