New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Server does not validate correctness of user/password pair provided in EXECUTE STATEMENT operator [CORE5082] #5368
Comments
Modified by: @AlexPeshkoffassignee: Alexander Peshkov [ alexpeshkoff ] |
Commented by: @AlexPeshkoff Password validation code (invokes security plugins) added to external engines connector. Validation is performed only for server connections, in embedded one can still use any user name (like elsewhere for embedded). Simple way to check: |
Modified by: @AlexPeshkoffstatus: Open [ 1 ] => Resolved [ 5 ] resolution: Fixed [ 1 ] Fix Version: 3.0 RC2 [ 10048 ] |
Commented by: @pavel-zotov Try following as SYSDBA (with default password):
=== On build 322289 output will be:Statement failed, SQLSTATE = 28000 Statement failed, SQLSTATE = 28000 Statement failed, SQLSTATE = 28000 WHOAMI SYSDBA WHOAMI SYSDBA WHOAMI SYSDBAWhy SYSDBA can still do EB with password that is empty or contains only of ascii_char(32) symbols ? |
Commented by: @dyemanov Do you have ISC_PASSWORD envvar defined? Looks like empty password is treated as missing password and the envvar is picked instead. |
Commented by: @pavel-zotov Yes, isc_* variables DID exist. But when I've removed them, result is the same: C:\>set isc_user= C:\>set isc_password= C:\>set isc_user C:\>set isc_password= C:\>cd C:\MIX\firebird\QA\fbt-repo\tmp\ C:\MIX\firebird\QA\fbt-repo\tmp>isql /:e30 -i c5082-1.sql -user sysdba -pas masterke Statement failed, SQLSTATE = 28000 Statement failed, SQLSTATE = 28000 Statement failed, SQLSTATE = 28000 WHOAMI SYSDBA WHOAMI SYSDBA WHOAMI SYSDBA C:\MIX\firebird\QA\fbt-repo\tmp> (this was done in cmd.exe) |
Commented by: @AlexPeshkoff Can not reproduce: SQL> execute block returns (whoami varchar(32)) as begin execute statement 'select current_user from rdb$database' as user 'SYSDBA' password ' ' into whoami; suspend; end^ WHOAMIStatement failed, SQLSTATE = 28000 |
Commented by: @pavel-zotov C:\MIX\firebird\QA\fbt-repo\tmp>set isc_user C:\MIX\firebird\QA\fbt-repo\tmp>set isc_password Case-1. EMPTY password C:\MIX\firebird\QA\fbt-repo\tmp>echo execute block returns (whoami varchar(32)) as begin execute statement 'select current_user from rdb$dat WHOAMISYSDBA Case-2. Password is single space character C:\MIX\firebird\QA\fbt-repo\tmp>echo execute block returns (whoami varchar(32)) as begin execute statement 'select current_user from rdb$dat WHOAMISYSDBA Case-3. Password is single TAB character C:\MIX\firebird\QA\fbt-repo\tmp>echo execute block returns (whoami varchar(32)) as begin execute statement 'select current_user from rdb$dat WHOAMIStatement failed, SQLSTATE = 28000 ISQL Version: WI-V3.0.0.32289 Firebird 3.0 Release Candidate 2 The same without PIPE mechanism: C:\MIX\firebird\QA\fbt-repo\tmp>isql /:e30 -user sysdba -pas masterke WHOAMISYSDBA SQL> set term ^; execute block returns (whoami varchar(32)) as begin execute statement 'select current_user from rdb$database' as user 'SYSD WHOAMISYSDBA SQL> set term ^; execute block returns (whoami varchar(32)) as begin execute statement 'select current_user from rdb$database' as user 'SYSD WHOAMIStatement failed, SQLSTATE = 28000 I've attached screenshots. |
Modified by: @pavel-zotovAttachment: c5082-pipe.PNG [ 12882 ] Attachment: c5082-no_pipe.png [ 12883 ] |
Commented by: @AlexPeshkoff Strange behavior happens when you try to use empty password with user with same name as was used to connect to server. In that case EDS engine is using existing connection and making no new connection does not perform password validation. I'm not sure is it correct to treat a few spaces as empty password, but that's definitely out of scope of this ticket. |
Commented by: @pavel-zotov > when you try to use empty password with user with same name as was used to connect to server So, this is expected behavior, right ? |
Commented by: @AlexPeshkoff I'd say that's this is acceptable for zero-length password but rather strange for a password containing a few spaces. |
Modified by: @pavel-zotovstatus: Resolved [ 5 ] => Resolved [ 5 ] QA Status: No test => Done successfully |
Submitted by: @AlexPeshkoff
Attachments:
c5082-pipe.PNG
c5082-no_pipe.png
Since FB3 regular password validation takes place in remote listener (network server). This makes possible to execute arbitrary statement as any user providing dummy password.
Commits: b0edf78 eacbf41 FirebirdSQL/fbt-repository@62b1649 FirebirdSQL/fbt-repository@1a3e57f
The text was updated successfully, but these errors were encountered: