Home > mailing lists

Re: chkpass Major Issue - compares 'contains' and not 'equal' - Mailing list pgsql-bugs

From	Tom Lane
Subject	Re: chkpass Major Issue - compares 'contains' and not 'equal'
Date	June 7, 2018 20:14:54
Msg-id	18834.1528380894@sss.pgh.pa.us Whole thread Raw
In response to	chkpass Major Issue - compares 'contains' and not 'equal' (Eyedia Tech <eyedia@debjyoti.com>)
List	pgsql-bugs

Tree view

Eyedia Tech <eyedia@debjyoti.com> writes:
> To replicate use this:
> create table "user" (uname text, password chkpass);
> insert into "user" values ('user1', 'password')
> select * from "user" where uname = 'user1' and password = 'password1'

That would depend on the behavior of your local version of crypt(3),
but historically, that library function uses only the first eight
characters of the password, which explains this example.

> This is a major issue.

We're not going to treat it as such.  It's clearly documented, see

https://www.postgresql.org/docs/current/static/chkpass.html

FWIW, chkpass is deprecated and has been removed entirely as of PG 11.
It has a lot of design problems above and beyond its reliance on a
40-year-old encryption spec.

            regards, tom lane

pgsql-bugs by date:

From: "David G. Johnston"
Date: 07 June 2018, 20:09:24
Subject: Re: chkpass Major Issue - compares 'contains' and not 'equal'

From: PG Bug reporting form
Date: 07 June 2018, 21:25:05
Subject: BUG #15232: Query execution changes based on using 'explain analyze'or not

Re: chkpass Major Issue - compares 'contains' and not 'equal' - Mailing list pgsql-bugs

Previous

Next