Details
-
Bug
-
Status: Closed (View Workflow)
-
Blocker
-
Resolution: Fixed
-
10.7(EOL), 10.8(EOL), 10.9(EOL)
-
None
Description
password_reuse_check plugin cannot distinguish between username "foo" and password "bar" and username "foob" and password "ar".
To fix that, the string length can be added to the buffer first. Like:
int4store(buff, hostname->length);
|
memcpy(buff+4, hostname->str, hostname->length); |
Attachments
Issue Links
- is caused by
-
MDEV-9245 password "reuse prevention" validation plugin
-
- Closed
-
- relates to
-
-
- Closed
-
Activity
commit 9ec0b36ee8b58ef659ccc718c64724665c387298 (HEAD -> bb-10.7-MDEV-28838, origin/bb-10.7-MDEV-28838)
|
Author: Oleksandr Byelkin <sanja@mariadb.com>
|
Date: Wed Jun 29 14:56:10 2022 +0200
|
|
|
MDEV-28838 password_reuse_check plugin mixes username and password
|
|
To prevent the problem of mixing user name and password and
|
host name and user name we add length of the hostname and user name
|
to the hash.
|
commit 124de673a6a4a1205908eea420f24c8297576924 (HEAD -> bb-10.7-MDEV-28838, origin/bb-10.7-MDEV-28838)
|
Author: Oleksandr Byelkin <sanja@mariadb.com>
|
Date: Wed Jun 29 14:56:10 2022 +0200
|
|
|
MDEV-28838 password_reuse_check plugin mixes username and password
|
|
To prevent the problem of mixing user name and password and
|
host name and user name we add length of the hostname and user name
|
to the hash.
|
test:
--source include/not_embedded.incif (!$PASSWORD_REUSE_CHECK_SO) {skip No PASSWORD_REUSE_CHECK plugin;}install soname "password_reuse_check";set global password_reuse_check_interval= 0;grant select on *.* to user_name@localhost identified by 'test_pwd';grant select on *.* to user_nam@localhost identified by 'etest_pwd';show warnings;drop user user_name@localhost;drop user user_nam@localhost;grant select on *.* to user_name@localhost identified by 'test_pwd';grant select on *.* to tuser_name@localhos identified by 'test_pwd';show warnings;drop user user_name@localhost;drop user tuser_name@localhos;