| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Eyedia Tech <eyedia(at)debjyoti(dot)com> |
| Cc: | pgsql-bugs(at)postgresql(dot)org |
| Subject: | Re: chkpass Major Issue - compares 'contains' and not 'equal' |
| Date: | 2018-06-07 14:14:54 |
| Message-ID: | 18834.1528380894@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs |
Eyedia Tech <eyedia(at)debjyoti(dot)com> writes:
> To replicate use this:
> create table "user" (uname text, password chkpass);
> insert into "user" values ('user1', 'password')
> select * from "user" where uname = 'user1' and password = 'password1'
That would depend on the behavior of your local version of crypt(3),
but historically, that library function uses only the first eight
characters of the password, which explains this example.
> This is a major issue.
We're not going to treat it as such. It's clearly documented, see
https://www.postgresql.org/docs/current/static/chkpass.html
FWIW, chkpass is deprecated and has been removed entirely as of PG 11.
It has a lot of design problems above and beyond its reliance on a
40-year-old encryption spec.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | PG Bug reporting form | 2018-06-07 15:25:05 | BUG #15232: Query execution changes based on using 'explain analyze' or not |
| Previous Message | David G. Johnston | 2018-06-07 14:09:24 | Re: chkpass Major Issue - compares 'contains' and not 'equal' |