summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: b235936)
raw | patch | inline | side by side (parent: b235936)
| author | Tom Lane <tgl@sss.pgh.pa.us> | |
| Tue, 1 Sep 2020 17:14:44 +0000 (13:14 -0400) | ||
| committer | Tom Lane <tgl@sss.pgh.pa.us> | |
| Tue, 1 Sep 2020 17:14:44 +0000 (13:14 -0400) |
Historically there's been a hard-wired assumption here that no line of
a .pgpass file could be as long as NAMEDATALEN*5 bytes. That's a bit
shaky to start off with, because (a) there's no reason to suppose that
host names fit in NAMEDATALEN, and (b) this figure fails to allow for
backslash escape characters. However, it fails completely if someone
wants to use a very long password, and we're now hearing reports of
people wanting to use "security tokens" that can run up to several
hundred bytes. Another angle is that the file is specified to allow
comment lines, but there's no reason to assume that long comment lines
aren't possible.
Rather than guessing at what might be a more suitable limit, let's
replace the fixed-size buffer with an expansible PQExpBuffer. That
adds one malloc/free cycle to the typical use-case, but that's surely
pretty cheap relative to the I/O this code has to do.
Also, add TAP test cases to exercise this code, because there was no
test coverage before.
This reverts most of commit 2eb3bc588, as there's no longer a need for
a warning message about overlength .pgpass lines. (I kept the explicit
check for comment lines, though.)
In HEAD and v13, this also fixes an oversight in 74a308cf5: there's not
much point in explicit_bzero'ing the line buffer if we only do so in two
of the three exit paths.
Back-patch to all supported branches, except that the test case only
goes back to v10 where src/test/authentication/ was added.
Discussion: https://postgr.es/m/4187382.1598909041@sss.pgh.pa.us
a .pgpass file could be as long as NAMEDATALEN*5 bytes. That's a bit
shaky to start off with, because (a) there's no reason to suppose that
host names fit in NAMEDATALEN, and (b) this figure fails to allow for
backslash escape characters. However, it fails completely if someone
wants to use a very long password, and we're now hearing reports of
people wanting to use "security tokens" that can run up to several
hundred bytes. Another angle is that the file is specified to allow
comment lines, but there's no reason to assume that long comment lines
aren't possible.
Rather than guessing at what might be a more suitable limit, let's
replace the fixed-size buffer with an expansible PQExpBuffer. That
adds one malloc/free cycle to the typical use-case, but that's surely
pretty cheap relative to the I/O this code has to do.
Also, add TAP test cases to exercise this code, because there was no
test coverage before.
This reverts most of commit 2eb3bc588, as there's no longer a need for
a warning message about overlength .pgpass lines. (I kept the explicit
check for comment lines, though.)
In HEAD and v13, this also fixes an oversight in 74a308cf5: there's not
much point in explicit_bzero'ing the line buffer if we only do so in two
of the three exit paths.
Back-patch to all supported branches, except that the test case only
goes back to v10 where src/test/authentication/ was added.
Discussion: https://postgr.es/m/4187382.1598909041@sss.pgh.pa.us
| src/interfaces/libpq/fe-connect.c | patch | blob | blame | history | |
| src/test/authentication/t/001_password.pl | patch | blob | blame | history |
index c8ea59e5a2aabcf2d5ec8efb2c1ab88740b5b3e6..0287fb54bb50743e647bb99ed6b8d32e30564060 100644 (file)
{
FILE *fp;
struct stat stat_buf;
-
-#define LINELEN NAMEDATALEN*5
- char buf[LINELEN];
+ PQExpBufferData buf;
if (dbname == NULL || dbname[0] == '\0')
return NULL;
@@ -6517,63 +6515,81 @@ passwordFromFile(const char *hostname, const char *port, const char *dbname,
if (fp == NULL)
return NULL;
+ /* Use an expansible buffer to accommodate any reasonable line length */
+ initPQExpBuffer(&buf);
+
while (!feof(fp) && !ferror(fp))
{
- char *t = buf,
- *ret,
- *p1,
- *p2;
- int len;
+ /* Make sure there's a reasonable amount of room in the buffer */
+ if (!enlargePQExpBuffer(&buf, 128))
+ break;
- if (fgets(buf, sizeof(buf), fp) == NULL)
+ /* Read some data, appending it to what we already have */
+ if (fgets(buf.data + buf.len, buf.maxlen - buf.len, fp) == NULL)
break;
+ buf.len += strlen(buf.data + buf.len);
- len = strlen(buf);
+ /* If we don't yet have a whole line, loop around to read more */
+ if (!(buf.len > 0 && buf.data[buf.len - 1] == '\n') && !feof(fp))
+ continue;
- /* Remove trailing newline */
- if (len > 0 && buf[len - 1] == '\n')
+ /* ignore comments */
+ if (buf.data[0] != '#')
{
- buf[--len] = '\0';
- /* Handle DOS-style line endings, too, even when not on Windows */
- if (len > 0 && buf[len - 1] == '\r')
- buf[--len] = '\0';
- }
+ char *t = buf.data;
+ int len = buf.len;
- if (len == 0)
- continue;
+ /* Remove trailing newline */
+ if (len > 0 && t[len - 1] == '\n')
+ {
+ t[--len] = '\0';
+ /* Handle DOS-style line endings, too */
+ if (len > 0 && t[len - 1] == '\r')
+ t[--len] = '\0';
+ }
- if ((t = pwdfMatchesString(t, hostname)) == NULL ||
- (t = pwdfMatchesString(t, port)) == NULL ||
- (t = pwdfMatchesString(t, dbname)) == NULL ||
- (t = pwdfMatchesString(t, username)) == NULL)
- continue;
+ if (len > 0 &&
+ (t = pwdfMatchesString(t, hostname)) != NULL &&
+ (t = pwdfMatchesString(t, port)) != NULL &&
+ (t = pwdfMatchesString(t, dbname)) != NULL &&
+ (t = pwdfMatchesString(t, username)) != NULL)
+ {
+ /* Found a match. */
+ char *ret,
+ *p1,
+ *p2;
- /* Found a match. */
- ret = strdup(t);
- fclose(fp);
+ ret = strdup(t);
- if (!ret)
- {
- /* Out of memory. XXX: an error message would be nice. */
- return NULL;
- }
+ fclose(fp);
+ termPQExpBuffer(&buf);
- /* De-escape password. */
- for (p1 = p2 = ret; *p1 != ':' && *p1 != '\0'; ++p1, ++p2)
- {
- if (*p1 == '\\' && p1[1] != '\0')
- ++p1;
- *p2 = *p1;
+ if (!ret)
+ {
+ /* Out of memory. XXX: an error message would be nice. */
+ return NULL;
+ }
+
+ /* De-escape password. */
+ for (p1 = p2 = ret; *p1 != ':' && *p1 != '\0'; ++p1, ++p2)
+ {
+ if (*p1 == '\\' && p1[1] != '\0')
+ ++p1;
+ *p2 = *p1;
+ }
+ *p2 = '\0';
+
+ return ret;
+ }
}
- *p2 = '\0';
- return ret;
+ /* No match, reset buffer to prepare for next line. */
+ buf.len = 0;
}
fclose(fp);
+ termPQExpBuffer(&buf);
return NULL;
-
-#undef LINELEN
}
index 3a3b0eb7e80c1923699b943202f46646ea7ef15d..5976d8779364a947e43b286f22a2bef75be9c6d0 100644 (file)
}
else
{
- plan tests => 8;
+ plan tests => 11;
}
$status_string = 'success' if ($expected_res eq 0);
- my $res = $node->psql('postgres', undef, extra_params => [ '-U', $role ]);
+ local $Test::Builder::Level = $Test::Builder::Level + 1;
+
+ my $res = $node->psql('postgres', undef, extra_params => [ '-U', $role, '-w' ]);
is($res, $expected_res,
"authentication $status_string for method $method, role $role");
return;
reset_pg_hba($node, 'md5');
test_role($node, 'scram_role', 'md5', 0);
test_role($node, 'md5_role', 'md5', 0);
+
+# Test .pgpass processing; but use a temp file, don't overwrite the real one!
+my $pgpassfile = "${TestLib::tmp_check}/pgpass";
+
+delete $ENV{"PGPASSWORD"};
+$ENV{"PGPASSFILE"} = $pgpassfile;
+
+append_to_file($pgpassfile, qq!
+# This very long comment is just here to exercise handling of long lines in the file. This very long comment is just here to exercise handling of long lines in the file. This very long comment is just here to exercise handling of long lines in the file. This very long comment is just here to exercise handling of long lines in the file. This very long comment is just here to exercise handling of long lines in the file.
+*:*:postgres:scram_role:pass:this is not part of the password.
+!);
+chmod 0600, $pgpassfile or die;
+
+reset_pg_hba($node, 'password');
+test_role($node, 'scram_role', 'password from pgpass', 0);
+test_role($node, 'md5_role', 'password from pgpass', 2);
+
+append_to_file($pgpassfile, qq!
+*:*:*:md5_role:p\\ass
+!);
+
+test_role($node, 'md5_role', 'password from pgpass', 0);