On 24/02/2025 14:55, Greg Sabino Mullane wrote:
Guillaume Lelarge <[email protected] <mailto:[email protected]>> wrote:I'm obviously +1 on this patch since I sent kinda the same patch two weeks agoHa ha, my brain forgot about that one (even though I commented on it!) - apologies for that.
No need to apologize :)
set password_encryption to 'md5'; create user u4 password 'md5u1'; ... It complains that I'm using a plain text password and a MD5- encrypted password. Can't be both. (Probably not an issue with this patch, but rather an issue with the commit that implemented MD5- password warnings.)This is correct - it can be both. Not only are we sending a password in clear text, but we then encrypt it using MD5. Hence, two warnings.If I use a real md5 password, it only complains about MD5 encrypted password:Right. If someone sends us something that looks like an already- encrypted password, we just store it. See get_password_type() in backend/libpq/crypt.c. In which case, the actual password that a client would type in would *not* be what was sent over the wire as part of the ALTER USER / CREATE USER, so we don't complain.
Sounds good to me. -- Guillaume Lelarge Consultant https://dalibo.com
