Re: BUG #2424: initdb Did Not Escape the Password

Поиск
Список
Период
Сортировка
От Bruce Momjian
Тема Re: BUG #2424: initdb Did Not Escape the Password
Дата
Msg-id 200605262350.k4QNoTO28766@candle.pha.pa.us
обсуждение исходный текст
Ответ на Re: BUG #2424: initdb Did Not Escape the Password  (imacat <imacat@mail.imacat.idv.tw>)
Ответы Re: BUG #2424: initdb Did Not Escape the Password  (Tom Lane <tgl@sss.pgh.pa.us>)
Список pgsql-bugs
Дерево обсуждения 
Your patch has been added to the PostgreSQL unapplied patches list at:

    http://momjian.postgresql.org/cgi-bin/pgpatches

It will be applied as soon as one of the PostgreSQL committers reviews
and approves it.

---------------------------------------------------------------------------


imacat wrote:
-- Start of PGP signed section.
>     Has anyone notice this?  I found that this is not fixed in the 8.1.4
> release.
>
>     I have made a new patch for 8.1.4.  It is attached below.  Please
> tell me if there is any problem.  Thank you.
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> diff -u -r postgresql-8.1.4.orig/src/bin/initdb/initdb.c postgresql-8.1.4/src/bin/initdb/initdb.c
> - --- postgresql-8.1.4.orig/src/bin/initdb/initdb.c    2006-02-24 08:55:27.000000000 +0800
> +++ postgresql-8.1.4/src/bin/initdb/initdb.c    2006-05-25 12:30:34.000000000 +0800
> @@ -58,6 +58,7 @@
>  #include <langinfo.h>
>  #endif
>
> +#include "libpq-fe.h"
>  #include "libpq/pqsignal.h"
>  #include "mb/pg_wchar.h"
>  #include "getaddrinfo.h"
> @@ -1419,9 +1420,10 @@
>  {
>      PG_CMD_DECL;
>
> - -    char       *pwd1,
> +    char       *pwd1, *pwdesc,
>                 *pwd2;
>      char        pwdpath[MAXPGPATH];
> +    size_t pwdlen;
>      struct stat statbuf;
>
>      if (pwprompt)
> @@ -1483,8 +1485,12 @@
>
>      PG_CMD_OPEN;
>
> +    pwdlen = strlen(pwd1);
> +    pwdesc = (char *)pg_malloc(pwdlen * 2 + 1);
> +    PQescapeString(pwdesc, pwd1, pwdlen);
>      PG_CMD_PRINTF2("ALTER USER \"%s\" WITH PASSWORD '%s';\n",
> - -                   username, pwd1);
> +                   username, pwdesc);
> +    free(pwdesc);
>
>      PG_CMD_CLOSE;
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.3 (GNU/Linux)
>
> iD8DBQFEd0dTi9gubzC5S1wRAjM4AJ9gZGZ4IcbzE+CYX9HcOeMa2o9IpQCdFMyT
> S5N4shISjXRXmrnN/98zAUs=
> =uY5a
> -----END PGP SIGNATURE-----
>
> On Sun, 7 May 2006 06:28:53 GMT
> "imacat" <imacat@mail.imacat.idv.tw> wrote:
> > The following bug has been logged online:
> >
> > Bug reference:      2424
> > Logged by:          imacat
> > Email address:      imacat@mail.imacat.idv.tw
> > PostgreSQL version: 8.1.3
> > Operating system:   Linux
> > Description:        initdb Did Not Escape the Password
> > Details:
> >
> > The initdb seems did not escape (PQescapeString) the password.  The
> > following is my test result, with password: ab'ds)24
> >
> > imacat@atlas ~ % initdb -D /tmp/postgres -E utf8 --locale=en_US.utf8 -U
> > postgres -W
> > The files belonging to this database system will be owned by user
> > "postgres".
> > This user must also own the server process.
> >
> > The database cluster will be initialized with locale en_US.utf8.
> >
> > fixing permissions on existing directory /tmp/postgres ... ok
> > creating directory /tmp/postgres/global ... ok
> > creating directory /tmp/postgres/pg_xlog ... ok
> > creating directory /tmp/postgres/pg_xlog/archive_status ... ok
> > creating directory /tmp/postgres/pg_clog ... ok
> > creating directory /tmp/postgres/pg_subtrans ... ok
> > creating directory /tmp/postgres/pg_twophase ... ok
> > creating directory /tmp/postgres/pg_multixact/members ... ok
> > creating directory /tmp/postgres/pg_multixact/offsets ... ok
> > creating directory /tmp/postgres/base ... ok
> > creating directory /tmp/postgres/base/1 ... ok
> > creating directory /tmp/postgres/pg_tblspc ... ok
> > selecting default max_connections ... 100
> > selecting default shared_buffers ... 1000
> > creating configuration files ... ok
> > creating template1 database in /tmp/postgres/base/1 ... ok
> > initializing pg_authid ... ok
> > Enter new superuser password:
> > Enter it again:
> > setting password ... FATAL:  syntax error at or near "ds" at character 41
> > child process exited with exit code 1
> > initdb: removing contents of data directory "/tmp/postgres"
> > imacat@atlas ~ %
> >
> >     I have attached a patch that seems to solve this issue.  It works
> > for me.  Please tell me if there is any problem.
>
> --
> Best regards,
> imacat ^_*' <imacat@mail.imacat.idv.tw>
> PGP Key: http://www.imacat.idv.tw/me/pgpkey.txt
>
> <<Woman's Voice>> News: http://www.wov.idv.tw/
> Tavern IMACAT's: http://www.imacat.idv.tw/
> TLUG List Manager: http://lists.linux.org.tw/cgi-bin/mailman/listinfo/tlug
-- End of PGP section, PGP failed!

--
  Bruce Momjian   http://candle.pha.pa.us
  EnterpriseDB    http://www.enterprisedb.com

  + If your life is a hard drive, Christ can be your backup. +

В списке pgsql-bugs по дате отправления:

Предыдущее
От: Tom Lane
Дата:
Сообщение: Re: "blah" is not a domain error
Следующее
От: "Cstdenis"
Дата:
Сообщение: BUG #2458: Postgresql crash