pgsql: Fix detection of passwords hashed with MD5

From: Michael Paquier <michael(at)paquier(dot)xyz>
To: pgsql-committers(at)lists(dot)postgresql(dot)org
Subject: pgsql: Fix detection of passwords hashed with MD5
Date: 2019-04-24 00:06:57
Message-ID: E1hJ5RB-0006ov-F0@gemulon.postgresql.org
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-committers

Fix detection of passwords hashed with MD5

This commit fixes an issue related to the way password verifiers hashed
with MD5 are detected, leading to possibly detect that plain passwords
are legit MD5 hashes. A MD5-hashed entry was checked based on if its
header uses "md5" and if the string length matches what is expected.
Unfortunately the code never checked if the hash only used hexadecimal
characters after the three-character prefix.

Fix 9.6 down to 9.4, where this code is present. This area of the code
has changed in 10 and upwards with the introduction of SCRAM, which led
to a different fix committed as of ccae190.

Reported-by: Tom Lane
Author: Michael Paquier
Reviewed-by: Jonathan Katz
Discussion: https://postgr.es/m/016deb6b-1f0a-8e9f-1833-a8675b170aa9@postgresql.org
Backpatch-through: 9.4

Branch
------
REL9_4_STABLE

Details
-------
https://git.postgresql.org/pg/commitdiff/a82c06f4001d28c17f67c61b492f774d5e507b31

Modified Files
--------------
src/include/libpq/md5.h | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)

Browse pgsql-committers by date

  From Date Subject
Next Message Andres Freund 2019-04-24 04:42:20 pgsql: Allow pg_class xid & multixid horizons to not be set.
Previous Message Tom Lane 2019-04-23 22:51:48 pgsql: Repair assorted issues in locale data extraction.