Participants
Tom Lane
Tom Lane
Oliver Elphick
Oliver Elphick
Attachments
Show all attachments
Thread Outline
#1Oliver ElphickOliver Elphick
Nov 01, 2001
#2Tom LaneTom Laneto Oliver Elphick (#1)
Nov 01, 2001
#3Tom LaneTom Laneto Tom Lane (#2)
Nov 01, 2001

Re: [BUGS] user authentication crash by Erik Luke

Started by Oliver Elphickover 24 years ago3 messageshackersbugs
Jump to latest
#1Oliver Elphick
Oliver Elphick
olly@lfix.co.uk
hackers

Tom Lane wrote:

Hmm. I can see how a linefeed in a password would create a problem (it
breaks the line-oriented formatting of the pg_pwd file).

...

In any case it seems like it'd be a good idea to forbid nonprinting
characters in passwords. Comments anyone?

That sounds too restrictive; allowing non-printing characters should
improve password security. Why not simply exclude linefeed and
carriage return? (And possibly ctrl-Q and ctrl-S as well, in case there
is still anyone running a terminal with XON/XOFF flow control.)

--
Oliver Elphick Oliver.Elphick@lfix.co.uk
Isle of Wight http://www.lfix.co.uk/oliver
GPG: 1024D/3E1D0C1C: CA12 09E0 E8D5 8870 5839 932A 614D 4C34 3E1D 0C1C

"But they that wait upon the LORD shall renew their
strength; they shall mount up with wings as eagles;
they shall run, and not be weary; and they shall walk,
and not faint." Isaiah 40:31

Import Notes
Reply to msg id not found: MessagefromTomLanetgl@sss.pgh.pa.usofThu01Nov2001002825EST.20819.1004592505@sss.pgh.pa.us
#2Tom Lane
Tom Lane
tgl@sss.pgh.pa.us
In reply to: Oliver Elphick (#1)
hackers
Re: [BUGS] user authentication crash by Erik Luke (20-08-2001; 1.3kb)

"Oliver Elphick" <olly@lfix.co.uk> writes:

Tom Lane wrote:

Hmm. I can see how a linefeed in a password would create a problem (it
breaks the line-oriented formatting of the pg_pwd file).

...

In any case it seems like it'd be a good idea to forbid nonprinting
characters in passwords. Comments anyone?

That sounds too restrictive; allowing non-printing characters should
improve password security. Why not simply exclude linefeed and
carriage return?

Actually it seems that linefeed and tab are the minimum set of
characters that must be excluded to avoid breaking pg_pwd.
Working on it now ...

regards, tom lane

#3Tom Lane
Tom Lane
tgl@sss.pgh.pa.us
In reply to: Tom Lane (#2)
hackersbugs
Re: user authentication crash by Erik Luke (20-08-2001; 1.3kb)

"Thomas Yackel" <yackelt@ohsu.edu> writes:

I was quite surprised that such a small input error could cause the
backend to shutdown. Should psql remove [CR]s that are contained
within ''? (at least for this command)?

I have committed changes that forbid linefeeds and tabs within passwords
and usernames. This should be sufficient to prevent the pg_pwd parser
from becoming confused.

regards, tom lane

Import Notes
Reply to msg id not found: sbe07e58.038@gwsmtp.ohsu.eduReference msg id not found: sbe07e58.038@gwsmtp.ohsu.edu | Resolved by subject fallback
← Back to Topics