Follow-up fixes for SHA-2 patch (commit 749a9e2).

tglsfdc · tglsfdc · commit 969ab9d4f5d1 · 2025-04-07T14:14:28.000-04:00
This changes the check for valid characters in the salt string to only allow plain ASCII letters and digits. The previous coding was locale-dependent which doesn't really seem like a great idea here; moreover it could not work correctly in multibyte encodings. This fixes a careless pointer-use-after-pfree, too. Reported-by: Tom Lane <tgl@sss.pgh.pa.us> Reported-by: Andres Freund <andres@anarazel.de> Author: Bernd Helmle <mailings@oopsware.de> Discussion: https://postgr.es/m/6fab35422df6b6b9727fdcc243c5fa1c667dd3b5.camel@oopsware.de
diff --git a/contrib/pgcrypto/crypt-sha.c b/contrib/pgcrypto/crypt-sha.c
@@ -46,6 +46,7 @@
 #include "postgres.h"
 
 #include "common/string.h"
+#include "mb/pg_wchar.h"
 #include "miscadmin.h"
 
 #include "px-crypt.h"
@@ -58,7 +59,7 @@ typedef enum
 	PGCRYPTO_SHA_UNKOWN
 } PGCRYPTO_SHA_t;
 
-static unsigned char _crypt_itoa64[64 + 1] =
+static const char _crypt_itoa64[64 + 1] =
 "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
 
 /*
@@ -321,10 +322,13 @@ px_crypt_shacrypt(const char *pw, const char *salt, char *passwd, unsigned dstle
 
 		if (*ep != '$')
 		{
-			if (isalpha(*ep) || isdigit(*ep) || (*ep == '.') || (*ep == '/'))
+			if (strchr(_crypt_itoa64, *ep) != NULL)
 				appendStringInfoCharMacro(decoded_salt, *ep);
 			else
-				elog(ERROR, "invalid character in salt string: \"%c\"", *ep);
+				ereport(ERROR,
+						errcode(ERRCODE_INVALID_PARAMETER_VALUE),
+						errmsg("invalid character in salt string: \"%.*s\"",
+							   pg_mblen(ep), ep));
 		}
 		else
 		{
@@ -602,8 +606,6 @@ px_crypt_shacrypt(const char *pw, const char *salt, char *passwd, unsigned dstle
 			elog(ERROR, "unsupported digest length");
 	}
 
-	*cp = '\0';
-
 	/*
 	 * Copy over result to specified buffer.
 	 *
