Date: Sat, 11 May 2002 22:33:30 +0400 (MSD) From: "Andrey V. Pevnev" <andrey@mgul.ac.ru> To: FreeBSD-gnats-submit@FreeBSD.org Subject: ports/37958: pam-pgsql-0.5.2_2 port makes wrong SQL quires Message-ID: <200205111833.g4BIXULA050400@ns1.mgul.ac.ru>
next in thread | raw e-mail | index | archive | help
>Number: 37958
>Category: ports
>Synopsis: pam-pgsql-0.5.2_2 port makes wrong SQL quires
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-ports
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Sat May 11 11:40:01 PDT 2002
>Closed-Date:
>Last-Modified:
>Originator: Andrey V. Pevnev
>Release: FreeBSD 4.5-RELEASE-p4 i386
>Organization:
Moscow State Forestry University
>Environment:
System: FreeBSD ns1.mgul.ac.ru 4.5-RELEASE-p4 FreeBSD 4.5-RELEASE-p4 #0: Thu Apr 25 19:08:55 MSD 2002 andrey@ns1.mgul.ac.ru:/usr/obj/usr/src/sys/NS1 i386
pam-pgsql-0.5.2_2 port
>Description:
This port makest wrong quries to database when we trying to use
account_expired and/or password_expired columns. It makes quiries like
select 1 from persons where login='user' and disabled='y' or disabled='1';
so if just one line in the table will have disabled='1' ALL users will
be disabled!
The correct query will be: select 1 from persons where login='user' and (disabled='y' or disabled='1');
>How-To-Repeat:
Just install this port and try to use expired or password_need_change columns with the value of '1'
>Fix:
Note: thist patch also fixes ports/37628 (bug in README)
--- pam_pgsql.patch begins here ---
--- README.old Sat May 11 22:14:56 2002
+++ README Sat May 11 22:16:43 2002
@@ -73,6 +73,7 @@
Configuration Options
=====================
+ host - the database server
database - the database which should be connected to
table - the table containing the authentication data
user - the username used when connecting to PostgreSQL
@@ -85,5 +86,5 @@
needs to change their password
debug - this is a standard module option that will enable
debug output to syslog (takes no values)
- pwtype - specifies the password encryption scheme, can be one
+ pw_type - specifies the password encryption scheme, can be one
of 'clear', 'md5', or 'crypt'. defaults to 'clear'.
--- pam_pgsql.c.old Sat May 11 22:13:33 2002
+++ pam_pgsql.c Sat May 11 22:13:42 2002
@@ -536,9 +536,9 @@
/* if account has expired then expired_column = '1' or 'y' */
if(options->expired_column) {
- DBGLOG("query: SELECT 1 FROM %s WHERE %s='%s' AND %s='y' OR %s='1'", options->table, options->user_column, user, options->expired_column, options->expired_column);
+ DBGLOG("query: SELECT 1 FROM %s WHERE %s='%s' AND (%s='y' OR %s='1')", options->table, options->user_column, user, options->expired_column, options->expired_column);
if(pg_exec(options, conn, &res,
- "SELECT 1 FROM %s WHERE %s='%s' AND %s='y' OR %s='1'" ,
+ "SELECT 1 FROM %s WHERE %s='%s' AND (%s='y' OR %s='1')" ,
options->table,
options->user_column,
user_s,
@@ -559,9 +559,9 @@
/* if new password is required then newtok_column = 'y' or '1' */
if(options->newtok_column) {
- DBGLOG("query: SELECT 1 FROM %s WHERE %s='%s' AND %s='y' OR %s='1'", options->table, options->user_column, user, options->newtok_column, options->newtok_column);
+ DBGLOG("query: SELECT 1 FROM %s WHERE %s='%s' AND (%s='y' OR %s='1')", options->table, options->user_column, user, options->newtok_column, options->newtok_column);
if(pg_exec(options, conn, &res,
- "SELECT 1 FROM %s WHERE %s='%s' AND %s='y' OR %s='1'",
+ "SELECT 1 FROM %s WHERE %s='%s' AND (%s='y' OR %s='1')",
options->table,
options->user_column,
user_s,
--- pam_pgsql.patch ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ports" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200205111833.g4BIXULA050400>