Participants
PG Bug reporting form
PG Bug reporting form
Bruce Momjian
Bruce Momjian
Attachments
Show all attachments
Thread Outline
#1PG Bug reporting formPG Bug reporting form
Dec 12, 2019
#2Bruce MomjianBruce Momjianto PG Bug reporting form (#1)
Dec 21, 2019

BUG #16164: Sending shared secret in all low case

Started by PG Bug reporting formover 6 years ago2 messagesbugs
Jump to latest
#1PG Bug reporting form
PG Bug reporting form
noreply@postgresql.org

The following bug has been logged on the website:

Bug reference: 16164
Logged by: Min Wang
Email address: min.wang@theice.com
PostgreSQL version: 11.5
Operating system: Red Hat Enterprise Linux Server release 7.6 (Maipo
Description:

Sending shared secret in all low case for RADIUS user authentication

#2Bruce Momjian
Bruce Momjian
bruce@momjian.us
In reply to: PG Bug reporting form (#1)
Re: BUG #16164: Sending shared secret in all low case

On Thu, Dec 12, 2019 at 08:15:22PM +0000, PG Bug reporting form wrote:

The following bug has been logged on the website:

Bug reference: 16164
Logged by: Min Wang
Email address: min.wang@theice.com
PostgreSQL version: 11.5
Operating system: Red Hat Enterprise Linux Server release 7.6 (Maipo
Description:

Sending shared secret in all low case for RADIUS user authentication

This was reported and fixed in November:

/messages/by-id/BC05948D-9509-4F30-A350-7E2C36570CF1@palantir.com

with this commit:

commit 7618eaf5f3
Author: Tom Lane <tgl@sss.pgh.pa.us>
Date: Wed Nov 13 13:41:04 2019 -0500

Avoid downcasing/truncation of RADIUS authentication parameters.

Commit 6b76f1bb5 changed all the RADIUS auth parameters to be lists
rather than single values. But its use of SplitIdentifierString
to parse the list format was not very carefully thought through,
because that function thinks it's parsing SQL identifiers, which
means it will (a) downcase the strings and (b) truncate them to
be shorter than NAMEDATALEN. While downcasing should be harmless
for the server names and ports, it's just wrong for the shared
secrets, and probably for the NAS Identifier strings as well.
The truncation aspect is at least potentially a problem too,
though typical values for these parameters would fit in 63 bytes.

Fortunately, we now have a function SplitGUCList that is exactly
the same except for not doing the two unwanted things, so fixing
this is a trivial matter of calling that function instead.

While here, improve the documentation to show how to double-quote
the parameter values. I failed to resist the temptation to do
some copy-editing as well.

Report and patch from Marcos David (bug #16106); doc changes by me.
Back-patch to v10 where the aforesaid commit came in, since this is
arguably a regression from our previous behavior with RADIUS auth.

Discussion: /messages/by-id/16106-7d319e4295d08e70@postgresql.org

Unfortunately the patch didn't make it into our November releases, so
you will have to wait for the next scheduled release in February for a
fix, or build from source and apply this patch. Sorry.

--
Bruce Momjian <bruce@momjian.us> http://momjian.us
EnterpriseDB http://enterprisedb.com

+ As you are, so once was I.  As I am, so you will be. +
+                      Ancient Roman grave inscription +
← Back to Topics