Hi all,

I have noticed today that the server ignores completely the contents
of SASLInitialResponse. For example with the patch attached called
diff --git a/src/interfaces/libpq/fe-auth.c b/src/interfaces/libpq/fe-auth.c
index f4397afc64..8fe1c8edfb 100644
--- a/src/interfaces/libpq/fe-auth.c
+++ b/src/interfaces/libpq/fe-auth.c
@@ -540,7 +540,7 @@ pg_SASL_init(PGconn *conn, int payloadlen)
            conn->sasl_state = pg_fe_scram_init(conn->pguser, password);
            if (!conn->sasl_state)
                goto oom_error;
-           selected_mechanism = SCRAM_SHA256_NAME;
+           selected_mechanism = "kunfoobar";

This sends a custom string to the server to name a SASL mechanism,
about which the server complains with a COMMERROR log:
LOG:  client selected an invalid SASL authentication mechanism
However this error is completely ignored and the server continues
authentication, succeeding if the password is right. It seems to me
that the error that should be returned to the user is a password
mismatch, and that the COMMERROR message is kept only for the server
logs. Attached is a patch to fix the problem.

Open item added as well.


Attachment: scram-trick-server.patch
Description: Binary data

Attachment: fix-sasl-init.patch
Description: Binary data

Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:

Reply via email to