| From: | Fujii Masao <masao(dot)fujii(at)oss(dot)nttdata(dot)com> |
|---|---|
| To: | David Fetter <david(at)fetter(dot)org> |
| Cc: | pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: Minor issues in .pgpass |
| Date: | 2020-02-12 17:01:30 |
| Message-ID: | 39367af6-b3c5-23f7-c1ad-bfad21934399@oss.nttdata.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On 2020/01/22 9:06, David Fetter wrote:
> On Tue, Jan 21, 2020 at 03:27:50PM +0900, Fujii Masao wrote:
>> Hi,
>>
>> When I was researching the maximum length of password in PostgreSQL
>> to answer the question from my customer, I found that there are two
>> minor issues in .pgpass file.
>>
>> (1) If the length of a line in .pgpass file is larger than 319B,
>> libpq silently treats each 319B in the line as a separate
>> setting line.
>
> This seems like a potentially serious bug. For example, a truncated
> password could get retried enough times to raise intruder alarms, and
> it wouldn't be easy to track down.
>
>> (2) The document explains that a line beginning with # is treated
>> as a comment in .pgpass. But as far as I read the code,
>> there is no code doing such special handling.
>
> This is a flat-out bug, as it violates a promise the documentation has
> made.
>
>> Also if the length of that "comment" line is larger than 319B,
>> the latter part of the line can be treated as valid setting.
>
>> You may think that these unexpected behaviors are not so harmful
>> in practice because "usually" the length of password setting line is
>> less than 319B and the hostname beginning with # is less likely to be
>> used. But the problem exists. And there are people who want to use
>> large password or to write a long comment (e.g., with multibyte
>> characters like Japanese) in .pgass, so these may be more harmful
>> in the near future.
>>
>> For (1), I think that we should make libpq warn if the length of a line
>> is larger than 319B, and throw away the remaining part beginning from
>> 320B position. Whether to enlarge the length of a line should be
>> a separate discussion, I think.
>
> Agreed.
>
>> For (2), libpq should treat any lines beginning with # as comments.
Patch attached. This patch does the above (1) and (2).
> Would it make sense for lines starting with whitespace and then # to
> be treated as comments, too, e.g.:
Could you tell me why you want to treat such a line as comment?
Basically I don't want to change the existing rules for parsing
.pgpass file more thane necessary.
Regards,
--
Fujii Masao
NTT DATA CORPORATION
Advanced Platform Technology Group
Research and Development Headquarters
| Attachment | Content-Type | Size |
|---|---|---|
| pgpass_v1.patch | text/plain | 1.4 KB |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Andres Freund | 2020-02-12 17:21:57 | Re: In PG12, query with float calculations is slower than PG11 |
| Previous Message | Fabrízio de Royes Mello | 2020-02-12 16:59:05 | Bug in pg_restore with EventTrigger in parallel mode |