Hi all,
I have noticed today that the server ignores completely the contents
of SASLInitialResponse. For example with the patch attached called
scram-trick-server:
diff --git a/src/interfaces/libpq/fe-auth.c b/src/interfaces/libpq/fe-auth.c
index f4397afc64..8fe1c8edfb 100644
--- a/src/interfaces/libpq/fe-auth.c
+++ b/src/interfaces/libpq/fe-auth.c
@@ -540,7 +540,7 @@ pg_SASL_init(PGconn *conn, int payloadlen)
conn->sasl_state = pg_fe_scram_init(conn->pguser, password);
if (!conn->sasl_state)
goto oom_error;
- selected_mechanism = SCRAM_SHA256_NAME;
+ selected_mechanism = "kunfoobar";
}
}This sends a custom string to the server to name a SASL mechanism, about which the server complains with a COMMERROR log: LOG: client selected an invalid SASL authentication mechanism However this error is completely ignored and the server continues authentication, succeeding if the password is right. It seems to me that the error that should be returned to the user is a password mismatch, and that the COMMERROR message is kept only for the server logs. Attached is a patch to fix the problem. Open item added as well. Thanks, -- Michael
scram-trick-server.patch
Description: Binary data
fix-sasl-init.patch
Description: Binary data
-- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
