mirror of
https://git.postgresql.org/git/postgresql.git
synced 2024-11-27 07:21:09 +08:00
cc1210f0aa
Certain short salts crashed the backend or disclosed a few bytes of backend memory. For existing salt-induced error conditions, emit a message saying as much. Back-patch to 9.0 (all supported versions). Josh Kupershmidt Security: CVE-2015-5288
37 lines
1.1 KiB
Plaintext
37 lines
1.1 KiB
Plaintext
--
|
|
-- crypt() and gen_salt(): bcrypt
|
|
--
|
|
SELECT crypt('', '$2a$06$RQiOJ.3ELirrXwxIZY8q0O');
|
|
crypt
|
|
--------------------------------------------------------------
|
|
$2a$06$RQiOJ.3ELirrXwxIZY8q0OlGbBEpDmx7IRZlNYvGJ1SHXwNi2cEKK
|
|
(1 row)
|
|
|
|
SELECT crypt('foox', '$2a$06$RQiOJ.3ELirrXwxIZY8q0O');
|
|
crypt
|
|
--------------------------------------------------------------
|
|
$2a$06$RQiOJ.3ELirrXwxIZY8q0OR3CVJrAfda1z26CCHPnB6mmVZD8p0/C
|
|
(1 row)
|
|
|
|
-- error, salt too short:
|
|
SELECT crypt('foox', '$2a$');
|
|
ERROR: invalid salt
|
|
-- error, first digit of count in salt invalid
|
|
SELECT crypt('foox', '$2a$40$RQiOJ.3ELirrXwxIZY8q0O');
|
|
ERROR: invalid salt
|
|
-- error, count in salt too small
|
|
SELECT crypt('foox', '$2a$00$RQiOJ.3ELirrXwxIZY8q0O');
|
|
ERROR: invalid salt
|
|
CREATE TABLE ctest (data text, res text, salt text);
|
|
INSERT INTO ctest VALUES ('password', '', '');
|
|
UPDATE ctest SET salt = gen_salt('bf', 8);
|
|
UPDATE ctest SET res = crypt(data, salt);
|
|
SELECT res = crypt(data, res) AS "worked"
|
|
FROM ctest;
|
|
worked
|
|
--------
|
|
t
|
|
(1 row)
|
|
|
|
DROP TABLE ctest;
|