Re: Minor issues in .pgpass
| От | Fujii Masao |
|---|---|
| Тема | Re: Minor issues in .pgpass |
| Дата | |
| Msg-id | 39367af6-b3c5-23f7-c1ad-bfad21934399@oss.nttdata.com обсуждение исходный текст |
| Ответ на | Re: Minor issues in .pgpass (David Fetter <david@fetter.org>) |
| Ответы |
Re: Minor issues in .pgpass
|
| Список | pgsql-hackers |
On 2020/01/22 9:06, David Fetter wrote: > On Tue, Jan 21, 2020 at 03:27:50PM +0900, Fujii Masao wrote: >> Hi, >> >> When I was researching the maximum length of password in PostgreSQL >> to answer the question from my customer, I found that there are two >> minor issues in .pgpass file. >> >> (1) If the length of a line in .pgpass file is larger than 319B, >> libpq silently treats each 319B in the line as a separate >> setting line. > > This seems like a potentially serious bug. For example, a truncated > password could get retried enough times to raise intruder alarms, and > it wouldn't be easy to track down. > >> (2) The document explains that a line beginning with # is treated >> as a comment in .pgpass. But as far as I read the code, >> there is no code doing such special handling. > > This is a flat-out bug, as it violates a promise the documentation has > made. > >> Also if the length of that "comment" line is larger than 319B, >> the latter part of the line can be treated as valid setting. > >> You may think that these unexpected behaviors are not so harmful >> in practice because "usually" the length of password setting line is >> less than 319B and the hostname beginning with # is less likely to be >> used. But the problem exists. And there are people who want to use >> large password or to write a long comment (e.g., with multibyte >> characters like Japanese) in .pgass, so these may be more harmful >> in the near future. >> >> For (1), I think that we should make libpq warn if the length of a line >> is larger than 319B, and throw away the remaining part beginning from >> 320B position. Whether to enlarge the length of a line should be >> a separate discussion, I think. > > Agreed. > >> For (2), libpq should treat any lines beginning with # as comments. Patch attached. This patch does the above (1) and (2). > Would it make sense for lines starting with whitespace and then # to > be treated as comments, too, e.g.: Could you tell me why you want to treat such a line as comment? Basically I don't want to change the existing rules for parsing .pgpass file more thane necessary. Regards, -- Fujii Masao NTT DATA CORPORATION Advanced Platform Technology Group Research and Development Headquarters
Вложения
В списке pgsql-hackers по дате отправления: