Обсуждение: [HACKERS] .pgpass's behavior has changed

Поиск
Список
Период
Сортировка

[HACKERS] .pgpass's behavior has changed

От
Kyotaro HORIGUCHI
Дата:
Hello.

I noticed that the precedence between host and hostaddr in a
connection string is reversed in regard to .pgpass lookup in
devel.

For example the following connection string uses a .pgpass entry
with "127.0.0.1", not "hoge".

"host=hoge hostaddr=127.0.0.1 port=5432 dbname=postgres"


This change was introdueced by the commit
274bb2b3857cc987cfa21d14775cae9b0dababa5 and the current behavior
contradicts the documentation.

https://www.postgresql.org/docs/devel/static/libpq-connect.html

> hostaddr
> ...
>   Note that authentication is likely to fail if host is not the
>   name of the server at network address hostaddr. Also, note that
>   host rather than hostaddr is used to identify the connection in
>   a password file (see Section 33.15, “The Password File”).

I think this should be fixed for the same reason with the
following commit.

> commit 11003eb55658df0caf183eef69c7a97d56a4f2d7
> Author: Robert Haas <rhaas@postgresql.org>
> Date:   Thu Dec 1 14:36:39 2016 -0500
> 
>     libpq: Fix inadvertent change in PQhost() behavior.

But the above also leaves a bug so I sent another patch to fix
it. The attched patch restores the 9.6's beavior of looking up
.pgpass file in the same manner to the aother patch.

regards,

-- 
Kyotaro Horiguchi
NTT Open Source Software Center
*** a/src/interfaces/libpq/fe-connect.c
--- b/src/interfaces/libpq/fe-connect.c
***************
*** 978,986 **** connectOptions2(PGconn *conn)          for (i = 0; i < conn->nconnhost; i++)         {
!             /* Try to get a password for this host from pgpassfile */             conn->connhost[i].password =
!                 passwordFromFile(conn->connhost[i].host,                                  conn->connhost[i].port,
                            conn->dbName,                                  conn->pguser,
 
--- 978,995 ----          for (i = 0; i < conn->nconnhost; i++)         {
!             /*
!              * Try to get a password for this host from pgpassfile. We use host
!              * name rather than host address in the same manner to PQhost().
!              */
!             char *pwhost = conn->connhost[i].host;
! 
!             if (conn->connhost[i].type == CHT_HOST_ADDRESS &&
!                 conn->pghost != NULL && conn->pghost[0] != '\0')
!                 pwhost = conn->pghost;
!              conn->connhost[i].password =
!                 passwordFromFile(pwhost,                                  conn->connhost[i].port,
            conn->dbName,                                  conn->pguser, 

Re: [HACKERS] .pgpass's behavior has changed

От
Michael Paquier
Дата:
On Fri, Apr 28, 2017 at 4:54 PM, Kyotaro HORIGUCHI
<horiguchi.kyotaro@lab.ntt.co.jp> wrote:
> I noticed that the precedence between host and hostaddr in a
> connection string is reversed in regard to .pgpass lookup in
> devel.
>
> For example the following connection string uses a .pgpass entry
> with "127.0.0.1", not "hoge".
>
> "host=hoge hostaddr=127.0.0.1 port=5432 dbname=postgres"
>
>
> This change was introdueced by the commit
> 274bb2b3857cc987cfa21d14775cae9b0dababa5 and the current behavior
> contradicts the documentation.
>
> https://www.postgresql.org/docs/devel/static/libpq-connect.html
>
>> hostaddr
>> ...
>>   Note that authentication is likely to fail if host is not the
>>   name of the server at network address hostaddr. Also, note that
>>   host rather than hostaddr is used to identify the connection in
>>   a password file (see Section 33.15, “The Password File”).
>
> I think this should be fixed for the same reason with the
> following commit.

I am planning to look at your patch more closely, but thinking how
painful it is going to be to check your patch, I think that it would
be a good idea to have a TAP test for pgpass in
src/test/authentication/ to be sure that this never breaks again in
the future. We cannot test all combinations as servers only listen to
unix domains but surely we can get some coverage with libpq.
--
Michael



Re: [HACKERS] .pgpass's behavior has changed

От
Noah Misch
Дата:
On Fri, Apr 28, 2017 at 04:54:32PM +0900, Kyotaro HORIGUCHI wrote:
> I noticed that the precedence between host and hostaddr in a
> connection string is reversed in regard to .pgpass lookup in
> devel.
> 
> For example the following connection string uses a .pgpass entry
> with "127.0.0.1", not "hoge".
> 
> "host=hoge hostaddr=127.0.0.1 port=5432 dbname=postgres"
> 
> 
> This change was introdueced by the commit
> 274bb2b3857cc987cfa21d14775cae9b0dababa5 and the current behavior
> contradicts the documentation.
> 
> https://www.postgresql.org/docs/devel/static/libpq-connect.html
> 
> > hostaddr
> > ...
> >   Note that authentication is likely to fail if host is not the
> >   name of the server at network address hostaddr. Also, note that
> >   host rather than hostaddr is used to identify the connection in
> >   a password file (see Section 33.15, “The Password File”).
> 
> I think this should be fixed for the same reason with the
> following commit.
> 
> > commit 11003eb55658df0caf183eef69c7a97d56a4f2d7
> > Author: Robert Haas <rhaas@postgresql.org>
> > Date:   Thu Dec 1 14:36:39 2016 -0500
> > 
> >     libpq: Fix inadvertent change in PQhost() behavior.
> 
> But the above also leaves a bug so I sent another patch to fix
> it. The attched patch restores the 9.6's beavior of looking up
> .pgpass file in the same manner to the aother patch.

[Action required within three days.  This is a generic notification.]

The above-described topic is currently a PostgreSQL 10 open item.  Robert,
since you committed the patch believed to have created it, you own this open
item.  If some other commit is more relevant or if this does not belong as a
v10 open item, please let us know.  Otherwise, please observe the policy on
open item ownership[1] and send a status update within three calendar days of
this message.  Include a date for your subsequent status update.  Testers may
discover new open items at any time, and I want to plan to get them all fixed
well in advance of shipping v10.  Consequently, I will appreciate your efforts
toward speedy resolution.  Thanks.

[1] https://www.postgresql.org/message-id/20170404140717.GA2675809%40tornado.leadboat.com



Re: [HACKERS] .pgpass's behavior has changed

От
Robert Haas
Дата:
On Fri, Apr 28, 2017 at 3:54 AM, Kyotaro HORIGUCHI
<horiguchi.kyotaro@lab.ntt.co.jp> wrote:
> But the above also leaves a bug so I sent another patch to fix
> it. The attched patch restores the 9.6's beavior of looking up
> .pgpass file in the same manner to the aother patch.

Thanks for catching this.  Committed.

-- 
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company



Re: [HACKERS] .pgpass's behavior has changed

От
Kyotaro HORIGUCHI
Дата:
At Mon, 1 May 2017 11:34:41 -0400, Robert Haas <robertmhaas@gmail.com> wrote in
<CA+TgmoZngqbwA_kwgt6yE9ufW53QvbGDQH=ETwxgiCt-sZZpSg@mail.gmail.com>
> On Fri, Apr 28, 2017 at 3:54 AM, Kyotaro HORIGUCHI
> <horiguchi.kyotaro@lab.ntt.co.jp> wrote:
> > But the above also leaves a bug so I sent another patch to fix
> > it. The attched patch restores the 9.6's beavior of looking up
> > .pgpass file in the same manner to the aother patch.
> 
> Thanks for catching this.  Committed.

Thanks!

-- 
Kyotaro Horiguchi
NTT Open Source Software Center