Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit20bf7b2

Browse files
committed
Fix PQencryptPasswordConn to work with older server versions.
password_encryption was a boolean before version 10, so cope with "on" and"off".Also, change the behavior with "plain", to treat it the same as "md5".We're discussing removing the password_encryption='plain' option from theserver altogether, which will make this the only reasonable choice, buteven if we kept it, it seems best to never send the password in cleartext.
1 parent0de791e commit20bf7b2

File tree

2 files changed

+17
-8
lines changed

2 files changed

+17
-8
lines changed

‎doc/src/sgml/libpq.sgml

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -5902,7 +5902,9 @@ char *PQencryptPasswordConn(PGconn *conn, const char *passwd, const char *user,
59025902
are the cleartext password, and the SQL name of the user it is for.
59035903
<parameter>algorithm</> specifies the encryption algorithm
59045904
to use to encrypt the password. Currently supported algorithms are
5905-
<literal>md5</>, <literal>scram-sha-256</> and <literal>plain</>.
5905+
<literal>md5</> and <literal>scram-sha-256</> (<literal>on</> and
5906+
<literal>off</> are also accepted as aliases for <literal>md5</>, for
5907+
compatibility with older server versions). Note that support for
59065908
<literal>scram-sha-256</> was introduced in <productname>PostgreSQL</>
59075909
version 10, and will not work correctly with older server versions. If
59085910
<parameter>algorithm</> is <symbol>NULL</>, this function will query

‎src/interfaces/libpq/fe-auth.c

Lines changed: 14 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -1168,7 +1168,7 @@ PQencryptPasswordConn(PGconn *conn, const char *passwd, const char *user,
11681168
{
11691169
PQclear(res);
11701170
printfPQExpBuffer(&conn->errorMessage,
1171-
libpq_gettext("password_encryption value too long\n"));
1171+
libpq_gettext("password_encryption value too long\n"));
11721172
returnNULL;
11731173
}
11741174
strcpy(algobuf,val);
@@ -1177,8 +1177,19 @@ PQencryptPasswordConn(PGconn *conn, const char *passwd, const char *user,
11771177
algorithm=algobuf;
11781178
}
11791179

1180-
/* Ok, now we know what algorithm to use */
1180+
/*
1181+
* Also accept "on" and "off" as aliases for "md5", because
1182+
* password_encryption was a boolean before PostgreSQL 10. We refuse to
1183+
* send the password in plaintext even if it was "off".
1184+
*/
1185+
if (strcmp(algorithm,"on")==0||
1186+
strcmp(algorithm,"off")==0||
1187+
strcmp(algorithm,"plain")==0)
1188+
algorithm="md5";
11811189

1190+
/*
1191+
* Ok, now we know what algorithm to use
1192+
*/
11821193
if (strcmp(algorithm,"scram-sha-256")==0)
11831194
{
11841195
crypt_pwd=pg_fe_scram_build_verifier(passwd);
@@ -1195,14 +1206,10 @@ PQencryptPasswordConn(PGconn *conn, const char *passwd, const char *user,
11951206
}
11961207
}
11971208
}
1198-
elseif (strcmp(algorithm,"plain")==0)
1199-
{
1200-
crypt_pwd=strdup(passwd);
1201-
}
12021209
else
12031210
{
12041211
printfPQExpBuffer(&conn->errorMessage,
1205-
libpq_gettext("unknown password encryption algorithm\n"));
1212+
libpq_gettext("unknown password encryption algorithm\n"));
12061213
returnNULL;
12071214
}
12081215

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp