| From: | "David G(dot) Johnston" <david(dot)g(dot)johnston(at)gmail(dot)com> |
|---|---|
| To: | Eyedia Tech <eyedia(at)debjyoti(dot)com> |
| Cc: | "pgsql-bugs(at)postgresql(dot)org" <pgsql-bugs(at)postgresql(dot)org>, "darcy(at)druid(dot)net" <darcy(at)druid(dot)net> |
| Subject: | Re: chkpass Major Issue - compares 'contains' and not 'equal' |
| Date: | 2018-06-07 14:09:24 |
| Message-ID: | CAKFQuwbkHkCjbg+BtLg-7P+D1Ma=Yn6N=POc+jCjLGdTU3iozg@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs |
On Thursday, June 7, 2018, Eyedia Tech <eyedia(at)debjyoti(dot)com> wrote:
> To replicate use this:
>
> create table "user" (uname text, password chkpass);
> insert into "user" values ('user1', 'password')
> select * from "user" where uname = 'user1' and password = 'password1'
>
> This is a major issue.
>
It is also a documented limitation.
The encryption uses the standard Unix function crypt(), and so it suffers
from all the usual limitations of that function; notably that only the
first eight characters of a password are considered.
https://www.postgresql.org/docs/10/static/chkpass.html
At this point I'd consider its presence here for backward compatibility
only and as such the behavior is not something that is likely to be changed.
David J.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2018-06-07 14:14:54 | Re: chkpass Major Issue - compares 'contains' and not 'equal' |
| Previous Message | Dmitry Dolgov | 2018-06-07 14:08:13 | Re: BUG #15212: Default values in partition tables don't work as expected and allow NOT NULL violation |