1
0
mirror of https://github.com/postgres/postgres.git synced 2025-10-25 13:17:41 +03:00
Files
postgres/contrib/pgcrypto/expected/crypt-des.out
Noah Misch 4d6752277e pgcrypto: Detect and report too-short crypt() salts.
Certain short salts crashed the backend or disclosed a few bytes of
backend memory.  For existing salt-induced error conditions, emit a
message saying as much.  Back-patch to 9.0 (all supported versions).

Josh Kupershmidt

Security: CVE-2015-5288
2015-10-05 10:06:33 -04:00

32 lines
628 B
Plaintext

--
-- crypt() and gen_salt(): crypt-des
--
SELECT crypt('', 'NB');
crypt
---------------
NBPx/38Y48kHg
(1 row)
SELECT crypt('foox', 'NB');
crypt
---------------
NB53EGGqrrb5E
(1 row)
-- We are supposed to pass in a 2-character salt.
-- error since salt is too short:
SELECT crypt('password', 'a');
ERROR: invalid salt
CREATE TABLE ctest (data text, res text, salt text);
INSERT INTO ctest VALUES ('password', '', '');
UPDATE ctest SET salt = gen_salt('des');
UPDATE ctest SET res = crypt(data, salt);
SELECT res = crypt(data, res) AS "worked"
FROM ctest;
worked
--------
t
(1 row)
DROP TABLE ctest;