Re: [HACKERS] Escaping ":" in .pgpass - code or docs bug?
Excerpts from Robert Haas's message of jue dic 22 15:03:36 -0300 2011: > > On Mon, Dec 19, 2011 at 2:42 PM, Alvaro Herrera > wrote: > > Yeah, it is a pretty old bug -- this code was clearly written by some > > rookie that didn't know very well what he was doing. > > Hey, I got that joke. > > I fixed this in master. I'm not going to bother with anything else > unless someone else feels motivated to make it happen. Thanks! :-) -- Álvaro Herrera The PostgreSQL Company - Command Prompt, Inc. PostgreSQL Replication, Consulting, Custom Development, 24x7 support -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
Re: [HACKERS] Escaping ":" in .pgpass - code or docs bug?
On Mon, Dec 19, 2011 at 2:42 PM, Alvaro Herrera wrote: > Yeah, it is a pretty old bug -- this code was clearly written by some > rookie that didn't know very well what he was doing. Hey, I got that joke. I fixed this in master. I'm not going to bother with anything else unless someone else feels motivated to make it happen. -- Robert Haas EnterpriseDB: http://www.enterprisedb.com The Enterprise PostgreSQL Company -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
Re: [HACKERS] Escaping ":" in .pgpass - code or docs bug?
Excerpts from Richard Huxton's message of lun dic 19 16:33:31 -0300 2011: > On 19/12/11 16:48, Robert Haas wrote: > > On Sat, Dec 17, 2011 at 3:27 AM, Ross Reedstrom wrote: > >> This should either be fixed by changing the documentation to say to not > >> escape > >> colons or backslashes in the password part, only, or modify this function > >> (PasswordFromFile) to silently unescape the password string. It already > >> copies > >> it. > > > > My vote is for a doc correction in the back-branches and a behavior > > change in master. > > Seems sensible - presumably mentioning "this will be corrected in 9.2"? > > It's clearly not what you'd call "urgent" since nobody else seems to > have noticed before now. Yeah, it is a pretty old bug -- this code was clearly written by some rookie that didn't know very well what he was doing. -- Álvaro Herrera The PostgreSQL Company - Command Prompt, Inc. PostgreSQL Replication, Consulting, Custom Development, 24x7 support -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
Re: [HACKERS] Escaping ":" in .pgpass - code or docs bug?
On 19/12/11 16:48, Robert Haas wrote: On Sat, Dec 17, 2011 at 3:27 AM, Ross Reedstrom wrote: This should either be fixed by changing the documentation to say to not escape colons or backslashes in the password part, only, or modify this function (PasswordFromFile) to silently unescape the password string. It already copies it. My vote is for a doc correction in the back-branches and a behavior change in master. Seems sensible - presumably mentioning "this will be corrected in 9.2"? It's clearly not what you'd call "urgent" since nobody else seems to have noticed before now. -- Richard Huxton Archonet Ltd -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
Re: [HACKERS] Escaping ":" in .pgpass - code or docs bug?
On Sat, Dec 17, 2011 at 3:27 AM, Ross Reedstrom wrote: > On Fri, Dec 16, 2011 at 02:55:09PM +, Richard Huxton wrote: >> According to the docs [1], you should escape embedded colons in >> .pgpass (fair enough). Below is PG 9.1.1 >> >> user = "te:st", db = "te:st", password = "te:st" >> >> $ cat ~/.pgpass >> *:*:te:st:te:st:te:st >> $ psql91 -U "te:st" -d "te:st" >> te:st=> >> >> $ cat ~/.pgpass >> *:*:te\:st:te\:st:te:st >> $ psql91 -U "te:st" -d "te:st" >> te:st=> >> >> $ cat ~/.pgpass >> *:*:te\:st:te\:st:te\:st >> $ psql91 -U "te:st" -d "te:st" >> psql: FATAL: password authentication failed for user "te:st" >> password retrieved from file "/home/richardh/.pgpass" >> >> I'm a bit puzzled how it manages without the escaping in the first >> case. There's a lack of consistency though that either needs >> documenting or fixing. > > Hmm, seems the code in fe-connect.c that reads the password out of .pgpass > does this: > > if ((t = pwdfMatchesString(t, hostname)) == NULL || > (t = pwdfMatchesString(t, port)) == NULL || > (t = pwdfMatchesString(t, dbname)) == NULL || > (t = pwdfMatchesString(t, username)) == NULL) > [...] > > pwdfMatchesString 'eats' the stringbuffer until the next unmatched character > or > unescaped colon. If it falls out the bottom of that, the rest of the line is > returned as the candidate password. > > Since the code that does the backslash detection is in pwdfMatchesString(), > and > the password never goes through that function, the escapes are not cleaned up. > > This should either be fixed by changing the documentation to say to not escape > colons or backslashes in the password part, only, or modify this function > (PasswordFromFile) to silently unescape the password string. It already copies > it. My vote is for a doc correction in the back-branches and a behavior change in master. -- Robert Haas EnterpriseDB: http://www.enterprisedb.com The Enterprise PostgreSQL Company -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
Re: [HACKERS] Escaping ":" in .pgpass - code or docs bug?
On Fri, Dec 16, 2011 at 02:55:09PM +, Richard Huxton wrote:
> According to the docs [1], you should escape embedded colons in
> .pgpass (fair enough). Below is PG 9.1.1
>
> user = "te:st", db = "te:st", password = "te:st"
>
> $ cat ~/.pgpass
> *:*:te:st:te:st:te:st
> $ psql91 -U "te:st" -d "te:st"
> te:st=>
>
> $ cat ~/.pgpass
> *:*:te\:st:te\:st:te:st
> $ psql91 -U "te:st" -d "te:st"
> te:st=>
>
> $ cat ~/.pgpass
> *:*:te\:st:te\:st:te\:st
> $ psql91 -U "te:st" -d "te:st"
> psql: FATAL: password authentication failed for user "te:st"
> password retrieved from file "/home/richardh/.pgpass"
>
> I'm a bit puzzled how it manages without the escaping in the first
> case. There's a lack of consistency though that either needs
> documenting or fixing.
Hmm, seems the code in fe-connect.c that reads the password out of .pgpass does
this:
if ((t = pwdfMatchesString(t, hostname)) == NULL ||
(t = pwdfMatchesString(t, port)) == NULL ||
(t = pwdfMatchesString(t, dbname)) == NULL ||
(t = pwdfMatchesString(t, username)) == NULL)
[...]
pwdfMatchesString 'eats' the stringbuffer until the next unmatched character or
unescaped colon. If it falls out the bottom of that, the rest of the line is
returned as the candidate password.
Since the code that does the backslash detection is in pwdfMatchesString(), and
the password never goes through that function, the escapes are not cleaned up.
This should either be fixed by changing the documentation to say to not escape
colons or backslashes in the password part, only, or modify this function
(PasswordFromFile) to silently unescape the password string. It already copies
it.
Perhaps something like (WARNING! untested code, rusty C skills):
*** src/interfaces/libpq/fe-connect.c.orig 2011-12-16 17:44:29.265913914
-0600
--- src/interfaces/libpq/fe-connect.c 2011-12-16 17:46:46.137913871 -0600
***
*** 4920,4925
--- 4920,4933
continue;
ret = strdup(t);
fclose(fp);
+
+ /* unescape any residual escaped colons */
+ t = ret;
+ while (t[0]) {
+ if (t[0] == '\\' && (t[1] == ':' || t[1] == '\\'))
+ strcpy(t,t+1);
+ t++;
+
return ret;
}
This would be backward compatible, in that existing working passwords would
continue to work, unless they happen to contain exactly the string '\:' or
'\\', then they'd need to double the backslash.
Ross
--
Ross Reedstrom, Ph.D. reeds...@rice.edu
Systems Engineer & Admin, Research Scientistphone: 713-348-6166
Connexions http://cnx.orgfax: 713-348-3665
Rice University MS-375, Houston, TX 77005
GPG Key fingerprint = F023 82C8 9B0E 2CC6 0D8E F888 D3AE 810E 88F0 BEDE
>
>
> [1] http://www.postgresql.org/docs/9.1/static/libpq-pgpass.html
>
> --
> Richard Huxton
> Archonet Ltd
>
> --
> Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
> To make changes to your subscription:
> http://www.postgresql.org/mailpref/pgsql-hackers
>
--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
[HACKERS] Escaping ":" in .pgpass - code or docs bug?
According to the docs [1], you should escape embedded colons in .pgpass (fair enough). Below is PG 9.1.1 user = "te:st", db = "te:st", password = "te:st" $ cat ~/.pgpass *:*:te:st:te:st:te:st $ psql91 -U "te:st" -d "te:st" te:st=> $ cat ~/.pgpass *:*:te\:st:te\:st:te:st $ psql91 -U "te:st" -d "te:st" te:st=> $ cat ~/.pgpass *:*:te\:st:te\:st:te\:st $ psql91 -U "te:st" -d "te:st" psql: FATAL: password authentication failed for user "te:st" password retrieved from file "/home/richardh/.pgpass" I'm a bit puzzled how it manages without the escaping in the first case. There's a lack of consistency though that either needs documenting or fixing. [1] http://www.postgresql.org/docs/9.1/static/libpq-pgpass.html -- Richard Huxton Archonet Ltd -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
