With the attached patch, I have verified that long (> 8char anyway)

usernames and passwords work correctly in both "password" and "crypt" authorization mode. NOTE: at least on my machine, it seems that the crypt() routines ignore the part of the password beyond 8 characters, so there's no security gain from longer passwords in crypt auth mode. But they don't fail. The login-related part of psql has apparently not been touched since roughly the fall of Rome ;-). It was going through huge pushups to get around the lack of username/login parameters to PQsetdb. I don't know when PQsetdbLogin was added to libpq, but it's there now ... so I was able to rip out quite a lot of crufty code while I was at it. It's possible that there are still bogus length limits on username or password in some of the other PostgreSQL user interfaces besides psql/libpq. I will leave it to other folks to check that code. regards, tom lane

With the attached patch, I have verified that long (> 8char anyway)
usernames and passwords work correctly in both "password" and "crypt" authorization mode. NOTE: at least on my machine, it seems that the crypt() routines ignore the part of the password beyond 8 characters, so there's no security gain from longer passwords in crypt auth mode. But they don't fail. The login-related part of psql has apparently not been touched since roughly the fall of Rome ;-). It was going through huge pushups to get around the lack of username/login parameters to PQsetdb. I don't know when PQsetdbLogin was added to libpq, but it's there now ... so I was able to rip out quite a lot of crufty code while I was at it. It's possible that there are still bogus length limits on username or password in some of the other PostgreSQL user interfaces besides psql/libpq. I will leave it to other folks to check that code. regards, tom lane
99a099d4 · Bruce Momjian · c0d73046 · 99a099d4
Commit 99a099d4 authored Aug 22, 1998 by Bruce Momjian
Hide whitespace changes
Inline Side-by-side

Showing with 24 additions and 99 deletions

src/bin/psql/psql.c src/bin/psql/psql.c +24 -99

No files found.
--- a/src/bin/psql/psql.c
+++ b/src/bin/psql/psql.c
@@ -7,7 +7,7 @@
 *
 *
 * IDENTIFICATION
- *	  $Header: /cvsroot/pgsql/src/bin/psql/Attic/psql.c,v 1.154 1998/08/17 03:50:17 scrappy Exp $
+ *	  $Header: /cvsroot/pgsql/src/bin/psql/Attic/psql.c,v 1.155 1998/08/22 04:49:05 momjian Exp $
 *
 *-------------------------------------------------------------------------
 */
@@ -132,9 +132,6 @@ static int	tableDesc(PsqlSettings *pset, char *table, FILE *fout);
 static int	objectDescription(PsqlSettings *pset, char *object);
 static int	rightsList(PsqlSettings *pset);
 static void prompt_for_password(char *username, char *password);
-static char *
-make_connect_string(char *host, char *port, char *dbname,
-					char *username, char *password);

 static char *gets_noreadline(char *prompt, FILE *source);
 static char *gets_readline(char *prompt, FILE *source);
@@ -1402,35 +1399,28 @@ do_connect(const char *new_dbname,
 	else
 	{
 		PGconn	   *olddb = pset->db;
-		static char *userenv = NULL;
-		char	   *old_userenv = NULL;
 		const char *dbparam;
-
-		if (new_user != NULL)
-		{
-
-			/*
-			 * PQsetdb() does not allow us to specify the user, so we have
-			 * to do it via PGUSER
-			 */
-			if (userenv != NULL)
-				old_userenv = userenv;
-			userenv = malloc(strlen("PGUSER=") + strlen(new_user) + 1);
-			sprintf(userenv, "PGUSER=%s", new_user);
-			/* putenv() may continue to use memory as part of environment */
-			putenv(userenv);
-			/* can delete old memory if we malloc'ed it */
-			if (old_userenv != NULL)
-				free(old_userenv);
-		}
+		const char *userparam;
+		const char *pwparam;

 		if (strcmp(new_dbname, "-") != 0)
 			dbparam = new_dbname;
 		else
 			dbparam = PQdb(olddb);

-		pset->db = PQsetdb(PQhost(olddb), PQport(olddb),
-						   NULL, NULL, dbparam);
+		if (new_user != NULL && strcmp(new_user, "-") != 0)
+			userparam = new_user;
+		else
+			userparam = PQuser(olddb);
+
+		/* libpq doesn't provide an accessor function for the password,
+		 * so we cheat here.
+		 */
+		pwparam = olddb->pgpass;
+
+		pset->db = PQsetdbLogin(PQhost(olddb), PQport(olddb),
+								NULL, NULL, dbparam, userparam, pwparam);
+
 		if (!pset->quiet)
 		{
 			if (!new_user)
@@ -2765,16 +2755,13 @@ main(int argc, char **argv)

 	if (settings.getPassword)
 	{
-		char		username[9];
-		char		password[9];
-		char	   *connect_string;
+		char		username[100];
+		char		password[100];

 		prompt_for_password(username, password);

-		/* now use PQconnectdb so we can pass these options */
-		connect_string = make_connect_string(host, port, dbname, username, password);
-		settings.db = PQconnectdb(connect_string);
-		free(connect_string);
+		settings.db = PQsetdbLogin(host, port, NULL, NULL, dbname,
+								   username, password);
 	}
 	else
 		settings.db = PQsetdb(host, port, NULL, NULL, dbname);
@@ -2784,7 +2771,7 @@ main(int argc, char **argv)
 	if (PQstatus(settings.db) == CONNECTION_BAD)
 	{
 		fprintf(stderr, "Connection to database '%s' failed.\n", dbname);
-		fprintf(stderr, "%s", PQerrorMessage(settings.db));
+		fprintf(stderr, "%s\n", PQerrorMessage(settings.db));
 		PQfinish(settings.db);
 		exit(1);
 	}
@@ -3018,6 +3005,7 @@ setFout(PsqlSettings *pset, char *fname)
 static void
 prompt_for_password(char *username, char *password)
 {
+	char buf[512];
 	int			length;

 #ifdef HAVE_TERMIOS_H
@@ -3027,13 +3015,11 @@ prompt_for_password(char *username, char *password)
 #endif

 	printf("Username: ");
-	fgets(username, 9, stdin);
+	fgets(username, 100, stdin);
 	length = strlen(username);
 	/* skip rest of the line */
 	if (length > 0 && username[length - 1] != '\n')
 	{
-		static char buf[512];
-
 		do
 		{
 			fgets(buf, 512, stdin);
@@ -3049,7 +3035,7 @@ prompt_for_password(char *username, char *password)
 	t.c_lflag &= ~ECHO;
 	tcsetattr(0, TCSADRAIN, &t);
 #endif
-	fgets(password, 9, stdin);
+	fgets(password, 100, stdin);
 #ifdef HAVE_TERMIOS_H
 	tcsetattr(0, TCSADRAIN, &t_orig);
 #endif
@@ -3058,8 +3044,6 @@ prompt_for_password(char *username, char *password)
 	/* skip rest of the line */
 	if (length > 0 && password[length - 1] != '\n')
 	{
-		static char buf[512];
-
 		do
 		{
 			fgets(buf, 512, stdin);
@@ -3070,62 +3054,3 @@ prompt_for_password(char *username, char *password)

 	printf("\n\n");
 }
-
-static char *
-make_connect_string(char *host, char *port, char *dbname,
-					char *username, char *password)
-{
-	int			connect_string_len = 0;
-	char	   *connect_string;
-
-	if (host)
-		connect_string_len += 6 + strlen(host); /* 6 == "host=" + " " */
-	if (username)
-		connect_string_len += 6 + strlen(username);		/* 6 == "user=" + " " */
-	if (password)
-		connect_string_len += 10 + strlen(password);	/* 10 == "password=" + "
-														 * " */
-	if (port)
-		connect_string_len += 6 + strlen(port); /* 6 == "port=" + " " */
-	if (dbname)
-		connect_string_len += 8 + strlen(dbname);		/* 8 == "dbname=" + " " */
-	connect_string_len += 18;	/* "authtype=password" + null */
-
-	connect_string = (char *) malloc(connect_string_len);
-	if (!connect_string)
-		return 0;
-	connect_string[0] = '\0';
-	if (host)
-	{
-		strcat(connect_string, "host=");
-		strcat(connect_string, host);
-		strcat(connect_string, " ");
-	}
-	if (username)
-	{
-		strcat(connect_string, "user=");
-		strcat(connect_string, username);
-		strcat(connect_string, " ");
-	}
-	if (password)
-	{
-		strcat(connect_string, "password=");
-		strcat(connect_string, password);
-		strcat(connect_string, " ");
-	}
-	if (port)
-	{
-		strcat(connect_string, "port=");
-		strcat(connect_string, port);
-		strcat(connect_string, " ");
-	}
-	if (dbname)
-	{
-		strcat(connect_string, "dbname=");
-		strcat(connect_string, dbname);
-		strcat(connect_string, " ");
-	}
-	strcat(connect_string, "authtype=password");
-
-	return connect_string;
-}