Bruce Momjian <[EMAIL PROTECTED]> writes:
> OK, here is the patch with the suggested changes.  I am sending the
> patch to hackers because there has been so much interest in this.

One minor gripe:

> +             /* If user@, it is a global user, remove '@' */
> +             if (strchr(port->user, '@') == port->user + strlen(port->user)-1)

This code is correct, but it tempts someone to replace the strchr()
with a single-character check on the last character of the string.
Which would introduce the security hole we discussed before.  The
code is okay, but *please* improve the comment to point out that you
are also excluding the case where there are @'s to the left of the
last character.

                        regards, tom lane

---------------------------(end of broadcast)---------------------------
TIP 6: Have you searched our list archives?

http://archives.postgresql.org

Reply via email to