database/postgres
database/postgres
1
0
Fork 0
mirror of https://github.com/postgres/postgres.git synced 2025-05-21 15:54:08 +03:00
Code

Change libpq's internal uses of PQhost() to inspect host field directly.

Browse Source 
Commit 1944cdc98 changed PQhost() to return the hostaddr value when that
is specified and host isn't.  This is a good idea in general, but
fe-auth.c and related files contain PQhost() calls for which it isn't.
Specifically, when we compare SSL certificates or other server identity
information to the host field, we do not want to use hostaddr instead;
that's not what's documented, that's not what happened pre-v10, and
it doesn't seem like a good idea.

Instead, we can just look at connhost[].host directly.  This does what
we want in v10 and up; in particular, if neither host nor hostaddr
were given, the host field will be replaced with the default host name.
That seems useful, and it's likely the reason that these places were
coded to call PQhost() originally (since pre-v10, the stored field was
not replaced with the default).

Back-patch to v10, as 1944cdc98 (just) was.

Discussion: https://postgr.es/m/23287.1533227021@sss.pgh.pa.us
This commit is contained in:
Tom Lane 2018-08-03 12:12:10 -04:00
parent 62038810b7
commit 8d00858baf
2 changed files with 11 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/interfaces/libpq/fe-auth.c
View File

@ -199,7 +199,7 @@ pg_GSS_startup(PGconn *conn, int payloadlen)
min_stat; min_stat;
int maxlen; int maxlen;
gss_buffer_desc temp_gbuf; gss_buffer_desc temp_gbuf;
char *host = PQhost(conn); char *host = conn->connhost[conn->whichhost].host;
if (!(host && host[0] != '\0')) if (!(host && host[0] != '\0'))
{ {
@ -414,7 +414,7 @@ pg_SSPI_startup(PGconn *conn, int use_negotiate, int payloadlen)
{ {
SECURITY_STATUS r; SECURITY_STATUS r;
TimeStamp expire; TimeStamp expire;
char *host = PQhost(conn); char *host = conn->connhost[conn->whichhost].host;
if (conn->sspictx) if (conn->sspictx)
{ {

11
src/interfaces/libpq/fe-secure-openssl.c
View File

@ -483,10 +483,17 @@ verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry,
char *name; char *name;
const unsigned char *namedata; const unsigned char *namedata;
int result; int result;
char *host = PQhost(conn); char *host = conn->connhost[conn->whichhost].host;
*store_name = NULL; *store_name = NULL;
if (!(host && host[0] != '\0'))
{
printfPQExpBuffer(&conn->errorMessage,
libpq_gettext("host name must be specified\n"));
return -1;
}
/* Should not happen... */ /* Should not happen... */
if (name_entry == NULL) if (name_entry == NULL)
{ {
@ -564,7 +571,7 @@ verify_peer_name_matches_certificate(PGconn *conn)
STACK_OF(GENERAL_NAME) *peer_san; STACK_OF(GENERAL_NAME) *peer_san;
int i; int i;
int rc; int rc;
char *host = PQhost(conn); char *host = conn->connhost[conn->whichhost].host;
/* /*
* If told not to verify the peer name, don't do it. Return true * If told not to verify the peer name, don't do it. Return true