granicus.if.org Git - postgresql/commit

author	Michael Paquier <michael@paquier.xyz>
	Wed, 24 Apr 2019 00:05:25 +0000 (09:05 +0900)
committer	Michael Paquier <michael@paquier.xyz>
	Wed, 24 Apr 2019 00:05:25 +0000 (09:05 +0900)
commit	af298f00a1e8d47f37e21567a00558defd492297
tree	a02e187954d68b3cd9956861207d782efd974f60	tree \| snapshot
parent	1e5de96629f639bdb4aa3d67cc49faf0c8c389e5	commit \| diff

Fix detection of passwords hashed with MD5

This commit fixes an issue related to the way password verifiers hashed
with MD5 are detected, leading to possibly detect that plain passwords
are legit MD5 hashes. A MD5-hashed entry was checked based on if its
header uses "md5" and if the string length matches what is expected.
Unfortunately the code never checked if the hash only used hexadecimal
characters after the three-character prefix.

Fix 9.6 down to 9.4, where this code is present. This area of the code
has changed in 10 and upwards with the introduction of SCRAM, which led
to a different fix committed as of ccae190.

Reported-by: Tom Lane
Author: Michael Paquier
Reviewed-by: Jonathan Katz
Discussion: https://postgr.es/m/016deb6b-1f0a-8e9f-1833-a8675b170aa9@postgresql.org
Backpatch-through: 9.4