From: Tatsuo Ishii <ishii@postgresql.org>
Date: Sat, 17 May 2025 06:24:23 +0000 (+0900)
Subject: Suppress unnecessary information upon authentication failure.
X-Git-Url: http://git.postgresql.org/gitweb/?a=commitdiff_plain;h=bc0d9ca49d7afabcbfc8e000a40075a9fac1adf6;p=pgpool2.git

Suppress unnecessary information upon authentication failure.

Previously a message "password size does not match" was displayed when
client authentication failed.  This could help an attacker to guess
password. Replace it just "password does not match".

Backpatch-through: v4.2
---

diff --git a/src/auth/pool_auth.c b/src/auth/pool_auth.c
index 33d887f78..7551a567e 100644
--- a/src/auth/pool_auth.c
+++ b/src/auth/pool_auth.c
@@ -1067,7 +1067,7 @@ do_clear_text_password(POOL_CONNECTION * backend, POOL_CONNECTION * frontend, in
 		if (size != backend->pwd_size)
 			ereport(ERROR,
 					(errmsg("clear text password authentication failed"),
-					 errdetail("password size does not match")));
+					 errdetail("password does not match")));
 
 		if (memcmp(pwd, backend->password, backend->pwd_size) != 0)
 			ereport(ERROR,