Suppress unnecessary information upon authentication failure.

Previously a message "password size does not match" was displayed when
client authentication failed.  This could help an attacker to guess
password. Replace it just "password does not match".

Backpatch-through: v4.2

diff --git a/src/auth/pool_auth.c b/src/auth/pool_auth.c
index b6bec79e238afc3ba94de7d7e1ad9fdb6cd9ccf4..6d78b8528544cc8219811d9acfe19c0dbeb78a63 100644 (file)
--- a/src/auth/pool_auth.c
+++ b/src/auth/pool_auth.c
@@ -1042,7 +1042,7 @@ do_clear_text_password(POOL_CONNECTION * backend, POOL_CONNECTION * frontend, in
                if (size != backend->pwd_size)
                        ereport(ERROR,
                                        (errmsg("clear text password authentication failed"),
-                                        errdetail("password size does not match")));
+                                        errdetail("password does not match")));
 
                if (memcmp(pwd, backend->password, backend->pwd_size) != 0)
                        ereport(ERROR,