Thread: Increase limit on max length of the password( pg versions < 14)
Hi hackers, We have encountered an issue (invalid message length) when the password length is > 1000 in pg 11,12,13 versions. This is due to the limit(1000) on the max length of the password. In this case the password is an access token(JWT) which can have varied lengths > 1000. I see that this is already handled for GSS and SSPI authentication tokens where the maximum accepted size is 65535. This is not the case with pg versions >=14 as the limit on max length is 65535(this change was added as part of sanity checks[1]). So we have two options: 1. Backport patch[1] to 11,12,13 2. Change ONLY the limit on the max length of the password(my patch attached). Please let me know your thoughts. Thanks, Mahendrakar. [1]: https://www.postgresql.org/message-id/flat/2003757.1619373089%40sss.pgh.pa.us
Attachment
> On 18 Jul 2023, at 11:30, mahendrakar s <mahendrakarforpg@gmail.com> wrote: > So we have two options: > 1. Backport patch[1] to 11,12,13 > 2. Change ONLY the limit on the max length of the password(my patch attached). We typically only backpatch bugfixes and not functional changes, and this seems to fall in the latter category. As the size of the JWT depends on the number of claims in it, are you able to reduce the number of claims to stay under the limit as a workaround? -- Daniel Gustafsson
Access token length with bare minimal claims is more than 1000 in this case. Workarounds are not possible in production. On Tue, 18 Jul 2023 at 15:10, Daniel Gustafsson <daniel@yesql.se> wrote: > > > On 18 Jul 2023, at 11:30, mahendrakar s <mahendrakarforpg@gmail.com> wrote: > > > So we have two options: > > 1. Backport patch[1] to 11,12,13 > > 2. Change ONLY the limit on the max length of the password(my patch attached). > > We typically only backpatch bugfixes and not functional changes, and this seems > to fall in the latter category. > > As the size of the JWT depends on the number of claims in it, are you able to > reduce the number of claims to stay under the limit as a workaround? > > -- > Daniel Gustafsson >
On 7/18/23 11:30, mahendrakar s wrote: > Hi hackers, > > We have encountered an issue (invalid message length) when the > password length is > 1000 in pg 11,12,13 versions. This is due to the > limit(1000) on the max length of the password. In this case the > password is an access token(JWT) which can have varied lengths > > 1000. I see that this is already handled for GSS and SSPI > authentication tokens where the maximum accepted size is 65535. > > This is not the case with pg versions >=14 as the limit on max length > is 65535(this change was added as part of sanity checks[1]). > > So we have two options: > 1. Backport patch[1] to 11,12,13 > 2. Change ONLY the limit on the max length of the password(my patch attached). > > Please let me know your thoughts. The third option is to upgrade. -- Vik Fearing
Vik Fearing <vik@postgresfriends.org> writes: > On 7/18/23 11:30, mahendrakar s wrote: >> We have encountered an issue (invalid message length) when the >> password length is > 1000 in pg 11,12,13 versions. > The third option is to upgrade. Yeah. I don't see any good reason to consider this behavior change as something other than a new feature. Also, the proposed patch is effectively cherry-picking one single line of the combined effect of two rather large patches (67a472d71 and 9626325da). I'm unconvinced that it does very much of use without the rest of those patches; but we are most certainly not back-patching 67a472d71. regards, tom lane