Re: BUG #8628: md5 security hole

From: Francisco Olarte <folarte(at)peoplecall(dot)com>
To: rob(at)northleaf(dot)com
Cc: pgsql-bugs(at)postgresql(dot)org
Subject: Re: BUG #8628: md5 security hole
Date: 2013-11-26 08:57:29
Message-ID: CA+bJJbyXbMgWnTfy9C7dDomWP38XPhtKoXaMzX78vvErssob8w@mail.gmail.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-bugs

Hi Rob_

On Sun, Nov 24, 2013 at 5:49 PM, <rob(at)northleaf(dot)com> wrote:
> I am able to login without a password when the password field is null. If
> the field is not null the functionality seems normal, I get rejected unless
> the password is correct. This makes password based login ridiculous. Is
> this a bug or designed in? I login with my own code (Qt based) or with
> pgAdmin III and I find the same bug. Is it not possible to require a
> password at login?

I doubt a bug like that would have remain uncovered for a long time,
so this has a strong PEBKAC smell.

What do you mean by 'the password field' ? The only similar thing
which I would describe as a 'password field' in a databaseis the
pg_authid.rolpasswd column, which is described as 'Password (possibly
encrypted); null if none.', which would give something which could be
easily interpreted as what you are reporting, making the behaviour you
describe exactly the documented one and your report a misinterpreted
pilot error. Maybe if you add a little more detail and do a little
legwork before making such a strong statement someone can help you.

Regards.
Francisco Olarte.

In response to

Browse pgsql-bugs by date

  From Date Subject
Next Message jonathan.camile 2013-11-26 09:50:15 Re: BUG #8629: Strange resultset when using CTE or a subselect
Previous Message libraryifet 2013-11-26 06:54:22 BUG #8631: invalid page header