]> granicus.if.org Git - postgresql/commit
projects / postgresql / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: d951db2) | patch
Verify that the server constructed the SCRAM nonce correctly.
authorHeikki Linnakangas <heikki.linnakangas@iki.fi>
Tue, 23 May 2017 09:55:19 +0000 (05:55 -0400)
committerHeikki Linnakangas <heikki.linnakangas@iki.fi>
Tue, 23 May 2017 09:55:19 +0000 (05:55 -0400)
commit1c9b6e818f047e07f1de62b4d11e0c5db2d55ab7
treefbfa448ffd17094640689a9280c45af8ee9eda12tree | snapshot
parentd951db2eff9e31637669a1452a0260616fdb5f50commit | diff
Verify that the server constructed the SCRAM nonce correctly.

The nonce consists of client and server nonces concatenated together. The
client checks the nonce contained the client nonce, but it would get fooled
if the server sent a truncated or even empty nonce.

Reported by Steven Fackler to security@postgresql.org. Neither me or Steven
are sure what harm a malicious server could do with this, but let's fix it.
src/interfaces/libpq/fe-auth-scram.c diff | blob | history
Unnamed repository; edit this file 'description' to name the repository.