Home > mailing lists

Re: Possible to store invalid SCRAM-SHA-256 Passwords - Mailing list pgsql-bugs

From	Jonathan S. Katz
Subject	Re: Possible to store invalid SCRAM-SHA-256 Passwords
Date	April 23, 2019 04:16:49
Msg-id	265876b8-1a72-89cd-bdcf-e641d93e166c@postgresql.org Whole thread Raw
In response to	Re: Possible to store invalid SCRAM-SHA-256 Passwords (Tom Lane <tgl@sss.pgh.pa.us>)
Responses	Re: Possible to store invalid SCRAM-SHA-256 Passwords (Michael Paquier <michael@paquier.xyz>)
List	pgsql-bugs

Tree view

On 4/22/19 9:10 PM, Tom Lane wrote:
> Michael Paquier <michael@paquier.xyz> writes:
>> There is no point for the second strlen() check, as strspn does the
>> same work.
>
> Um, no --- the strspn call will count the number of bytes of hex
> data, but without also checking strlen, you don't know that there's
> not non-hex trailing junk.

+1; that's why I left the comparison in.

(e.g. "md512345678901234567890123456789012zzz" would pass without strlen).

Jonathan

Attachment

signature.asc

pgsql-bugs by date:

From: Tom Lane
Date: 23 April 2019, 04:10:49
Subject: Re: Possible to store invalid SCRAM-SHA-256 Passwords

From: "Jonathan S. Katz"
Date: 23 April 2019, 04:26:01
Subject: Re: Possible to store invalid SCRAM-SHA-256 Passwords

Re: Possible to store invalid SCRAM-SHA-256 Passwords - Mailing list pgsql-bugs

Attachment

Previous

Next