summaryrefslogtreecommitdiff
path: root/src/backend/libpq
diff options
context:
space:
mode:
authorTom Lane <tgl@sss.pgh.pa.us>2019-11-13 13:41:04 -0500
committerTom Lane <tgl@sss.pgh.pa.us>2019-11-13 13:41:04 -0500
commit7618eaf5f315f53619b718e571cd2a2020fb0226 (patch)
tree904edf916aa8148d6ab842468ce865b2a295e77e /src/backend/libpq
parent2c7b5dad6eb1602839e5961b4d4eb6494fe4a1ee (diff)
Avoid downcasing/truncation of RADIUS authentication parameters.
Commit 6b76f1bb5 changed all the RADIUS auth parameters to be lists rather than single values. But its use of SplitIdentifierString to parse the list format was not very carefully thought through, because that function thinks it's parsing SQL identifiers, which means it will (a) downcase the strings and (b) truncate them to be shorter than NAMEDATALEN. While downcasing should be harmless for the server names and ports, it's just wrong for the shared secrets, and probably for the NAS Identifier strings as well. The truncation aspect is at least potentially a problem too, though typical values for these parameters would fit in 63 bytes. Fortunately, we now have a function SplitGUCList that is exactly the same except for not doing the two unwanted things, so fixing this is a trivial matter of calling that function instead. While here, improve the documentation to show how to double-quote the parameter values. I failed to resist the temptation to do some copy-editing as well. Report and patch from Marcos David (bug #16106); doc changes by me. Back-patch to v10 where the aforesaid commit came in, since this is arguably a regression from our previous behavior with RADIUS auth. Discussion: https://postgr.es/m/16106-7d319e4295d08e70@postgresql.org
Diffstat (limited to 'src/backend/libpq')
-rw-r--r--src/backend/libpq/hba.c8
1 files changed, 4 insertions, 4 deletions
diff --git a/src/backend/libpq/hba.c b/src/backend/libpq/hba.c
index 7f59a294a4d..cc4b661433f 100644
--- a/src/backend/libpq/hba.c
+++ b/src/backend/libpq/hba.c
@@ -1927,7 +1927,7 @@ parse_hba_auth_opt(char *name, char *val, HbaLine *hbaline,
REQUIRE_AUTH_OPTION(uaRADIUS, "radiusservers", "radius");
- if (!SplitIdentifierString(dupval, ',', &parsed_servers))
+ if (!SplitGUCList(dupval, ',', &parsed_servers))
{
/* syntax error in list */
ereport(elevel,
@@ -1976,7 +1976,7 @@ parse_hba_auth_opt(char *name, char *val, HbaLine *hbaline,
REQUIRE_AUTH_OPTION(uaRADIUS, "radiusports", "radius");
- if (!SplitIdentifierString(dupval, ',', &parsed_ports))
+ if (!SplitGUCList(dupval, ',', &parsed_ports))
{
ereport(elevel,
(errcode(ERRCODE_CONFIG_FILE_ERROR),
@@ -2011,7 +2011,7 @@ parse_hba_auth_opt(char *name, char *val, HbaLine *hbaline,
REQUIRE_AUTH_OPTION(uaRADIUS, "radiussecrets", "radius");
- if (!SplitIdentifierString(dupval, ',', &parsed_secrets))
+ if (!SplitGUCList(dupval, ',', &parsed_secrets))
{
/* syntax error in list */
ereport(elevel,
@@ -2033,7 +2033,7 @@ parse_hba_auth_opt(char *name, char *val, HbaLine *hbaline,
REQUIRE_AUTH_OPTION(uaRADIUS, "radiusidentifiers", "radius");
- if (!SplitIdentifierString(dupval, ',', &parsed_identifiers))
+ if (!SplitGUCList(dupval, ',', &parsed_identifiers))
{
/* syntax error in list */
ereport(elevel,