Home > mailing lists

Re: ProcessStartupPacket(): database_name and user_name truncation - Mailing list pgsql-hackers

From	Drouvot, Bertrand
Subject	Re: ProcessStartupPacket(): database_name and user_name truncation
Date	July 1, 2023 17:02:06
Msg-id	230a77dd-808b-0bb3-9008-7c9db3fddf25@gmail.com Whole thread Raw
In response to	Re: ProcessStartupPacket(): database_name and user_name truncation ("Drouvot, Bertrand" <bertranddrouvot.pg@gmail.com>)
Responses	Re: ProcessStartupPacket(): database_name and user_name truncation Re: ProcessStartupPacket(): database_name and user_name truncation
List	pgsql-hackers

Tree view

Hi,

On 6/30/23 7:32 PM, Drouvot, Bertrand wrote:
> Hi,
> 
> On 6/30/23 5:54 PM, Tom Lane wrote:
>> Nathan Bossart <nathandbossart@gmail.com> writes:
>>> After taking another look at this, I wonder if it'd be better to fail as
>>> soon as we see the database or user name is too long instead of lugging
>>> them around when authentication is destined to fail.
>>
>> If we're agreed that we aren't going to truncate these identifiers,
>> that seems like a reasonable way to handle it.
>>
> 
> Yeah agree, thanks Nathan for the idea.
> I'll work on a new patch version proposal.
> 

Please find V2 attached where it's failing as soon as the database name or
user name are detected as overlength.

Regards,

-- 
Bertrand Drouvot
PostgreSQL Contributors Team
RDS Open Source Databases
Amazon Web Services: https://aws.amazon.com

Attachment

v2-0001-Reject-incoming-username-and-database-name-in-cas.patch

pgsql-hackers by date:

From: Tomas Vondra
Date: 01 July 2023, 16:40:47
Subject: possible bug in handling of contrecords in dd38ff28ad (Fix recovery_prefetch with low maintenance_io_concurrency)

From: Joseph Koshakow
Date: 01 July 2023, 18:33:51
Subject: Re: Preventing non-superusers from altering session authorization

Re: ProcessStartupPacket(): database_name and user_name truncation - Mailing list pgsql-hackers

Attachment

Previous

Next