From 51bc3dfe4bda37a452b0d8b70b66929fa94c4f1f Mon Sep 17 00:00:00 2001
From: Joe Conway <mail@joeconway.com>
Date: Sun, 8 Jul 2007 17:11:51 +0000
Subject: [PATCH] Arrange for the authentication request type to be preserved
 in PGconn. Invent a new libpq connection-status function,
 PQconnectionUsedPassword() that returns true if the server demanded a
 password during authentication, false otherwise. This may be useful to
 clients in general, but is immediately useful to help plug a privilege
 escalation path in dblink. Per list discussion and design proposed by Tom
 Lane.

---
 doc/src/sgml/libpq.sgml           | 16 +++++++++++++++-
 src/include/libpq/pqcomm.h        |  3 ++-
 src/interfaces/libpq/exports.txt  |  3 ++-
 src/interfaces/libpq/fe-connect.c | 18 +++++++++++++++++-
 src/interfaces/libpq/libpq-fe.h   |  6 ++++--
 src/interfaces/libpq/libpq-int.h  |  3 ++-
 6 files changed, 42 insertions(+), 7 deletions(-)

diff --git a/doc/src/sgml/libpq.sgml b/doc/src/sgml/libpq.sgml
index 1a4118174e8..bbaade6944f 100644
--- a/doc/src/sgml/libpq.sgml
+++ b/doc/src/sgml/libpq.sgml
@@ -1,4 +1,4 @@
-<!-- $PostgreSQL: pgsql/doc/src/sgml/libpq.sgml,v 1.235 2007/03/30 03:19:02 momjian Exp $ -->
+<!-- $PostgreSQL: pgsql/doc/src/sgml/libpq.sgml,v 1.236 2007/07/08 17:11:50 joe Exp $ -->
 
  <chapter id="libpq">
   <title><application>libpq</application> - C Library</title>
@@ -1059,6 +1059,20 @@ SSL *PQgetssl(const PGconn *conn);
      </listitem>
     </varlistentry>
 
+    <varlistentry>
+     <term><function>PQconnectionUsedPassword</function><indexterm><primary>PQconnectionUsedPassword</></></term>
+     <listitem>
+      <para>
+       Returns true (1) if the connection authentication method
+       required a password to be supplied. Returns false (0)
+       otherwise.
+       <synopsis>
+       bool PQconnectionUsedPassword(const PGconn *conn);
+       </synopsis>
+      </para>
+     </listitem>
+    </varlistentry>
+
 </variablelist>
 </para>
 
diff --git a/src/include/libpq/pqcomm.h b/src/include/libpq/pqcomm.h
index 140d6ba0c5d..047940b7adf 100644
--- a/src/include/libpq/pqcomm.h
+++ b/src/include/libpq/pqcomm.h
@@ -9,7 +9,7 @@
  * Portions Copyright (c) 1996-2007, PostgreSQL Global Development Group
  * Portions Copyright (c) 1994, Regents of the University of California
  *
- * $PostgreSQL: pgsql/src/include/libpq/pqcomm.h,v 1.102 2007/01/05 22:19:55 momjian Exp $
+ * $PostgreSQL: pgsql/src/include/libpq/pqcomm.h,v 1.103 2007/07/08 17:11:51 joe Exp $
  *
  *-------------------------------------------------------------------------
  */
@@ -156,6 +156,7 @@ extern bool Db_user_namespace;
 #define AUTH_REQ_CRYPT		4	/* crypt password */
 #define AUTH_REQ_MD5		5	/* md5 password */
 #define AUTH_REQ_SCM_CREDS	6	/* transfer SCM credentials */
+#define AUTH_REQ_UNK		7	/* User has not yet attempted to authenticate */
 
 typedef uint32 AuthRequest;
 
diff --git a/src/interfaces/libpq/exports.txt b/src/interfaces/libpq/exports.txt
index 667301aeac9..a0ead41ace5 100644
--- a/src/interfaces/libpq/exports.txt
+++ b/src/interfaces/libpq/exports.txt
@@ -1,4 +1,4 @@
-# $PostgreSQL: pgsql/src/interfaces/libpq/exports.txt,v 1.15 2007/03/03 19:52:46 momjian Exp $
+# $PostgreSQL: pgsql/src/interfaces/libpq/exports.txt,v 1.16 2007/07/08 17:11:51 joe Exp $
 # Functions to be exported by libpq DLLs
 PQconnectdb               1
 PQsetdbLogin              2
@@ -137,3 +137,4 @@ PQdescribePortal          134
 PQsendDescribePrepared    135
 PQsendDescribePortal      136
 lo_truncate               137
+PQconnectionUsedPassword  138
diff --git a/src/interfaces/libpq/fe-connect.c b/src/interfaces/libpq/fe-connect.c
index 13c407d1cc1..a19b444c593 100644
--- a/src/interfaces/libpq/fe-connect.c
+++ b/src/interfaces/libpq/fe-connect.c
@@ -8,7 +8,7 @@
  *
  *
  * IDENTIFICATION
- *	  $PostgreSQL: pgsql/src/interfaces/libpq/fe-connect.c,v 1.345 2007/03/08 19:27:28 mha Exp $
+ *	  $PostgreSQL: pgsql/src/interfaces/libpq/fe-connect.c,v 1.346 2007/07/08 17:11:51 joe Exp $
  *
  *-------------------------------------------------------------------------
  */
@@ -1641,6 +1641,10 @@ keep_going:						/* We will come back to here until there is
 					return PGRES_POLLING_READING;
 				}
 
+				/* save the authentication request type */
+				if (conn->areq == AUTH_REQ_UNK)
+					conn->areq = areq;
+
 				/* Get the password salt if there is one. */
 				if (areq == AUTH_REQ_MD5)
 				{
@@ -1873,6 +1877,7 @@ makeEmptyPGconn(void)
 	conn->std_strings = false;	/* unless server says differently */
 	conn->verbosity = PQERRORS_DEFAULT;
 	conn->sock = -1;
+	conn->areq = AUTH_REQ_UNK;
 #ifdef USE_SSL
 	conn->allow_ssl_try = true;
 	conn->wait_ssl_try = false;
@@ -3441,6 +3446,17 @@ PQsetClientEncoding(PGconn *conn, const char *encoding)
 	return status;
 }
 
+bool
+PQconnectionUsedPassword(const PGconn *conn)
+{
+	if (conn->areq == AUTH_REQ_MD5 ||
+		conn->areq == AUTH_REQ_CRYPT ||
+		conn->areq == AUTH_REQ_PASSWORD)
+		return true;
+	else
+		return false;
+}
+
 PGVerbosity
 PQsetErrorVerbosity(PGconn *conn, PGVerbosity verbosity)
 {
diff --git a/src/interfaces/libpq/libpq-fe.h b/src/interfaces/libpq/libpq-fe.h
index f89d3e1a4c8..efda5a0049e 100644
--- a/src/interfaces/libpq/libpq-fe.h
+++ b/src/interfaces/libpq/libpq-fe.h
@@ -7,7 +7,7 @@
  * Portions Copyright (c) 1996-2007, PostgreSQL Global Development Group
  * Portions Copyright (c) 1994, Regents of the University of California
  *
- * $PostgreSQL: pgsql/src/interfaces/libpq/libpq-fe.h,v 1.136 2007/03/03 19:52:46 momjian Exp $
+ * $PostgreSQL: pgsql/src/interfaces/libpq/libpq-fe.h,v 1.137 2007/07/08 17:11:51 joe Exp $
  *
  *-------------------------------------------------------------------------
  */
@@ -23,10 +23,11 @@ extern		"C"
 #include <stdio.h>
 
 /*
- * postgres_ext.h defines the backend's externally visible types,
+ * defines the backend's externally visible types,
  * such as Oid.
  */
 #include "postgres_ext.h"
+#include "postgres_fe.h"
 
 /* Application-visible enum types */
 
@@ -265,6 +266,7 @@ extern int	PQsocket(const PGconn *conn);
 extern int	PQbackendPID(const PGconn *conn);
 extern int	PQclientEncoding(const PGconn *conn);
 extern int	PQsetClientEncoding(PGconn *conn, const char *encoding);
+extern bool	PQconnectionUsedPassword(const PGconn *conn);
 
 /* Get the OpenSSL structure associated with a connection. Returns NULL for
  * unencrypted connections or if any other TLS library is in use. */
diff --git a/src/interfaces/libpq/libpq-int.h b/src/interfaces/libpq/libpq-int.h
index 676d2db4d1a..12a9bd83a69 100644
--- a/src/interfaces/libpq/libpq-int.h
+++ b/src/interfaces/libpq/libpq-int.h
@@ -12,7 +12,7 @@
  * Portions Copyright (c) 1996-2007, PostgreSQL Global Development Group
  * Portions Copyright (c) 1994, Regents of the University of California
  *
- * $PostgreSQL: pgsql/src/interfaces/libpq/libpq-int.h,v 1.119 2007/03/03 19:52:47 momjian Exp $
+ * $PostgreSQL: pgsql/src/interfaces/libpq/libpq-int.h,v 1.120 2007/07/08 17:11:51 joe Exp $
  *
  *-------------------------------------------------------------------------
  */
@@ -299,6 +299,7 @@ struct pg_conn
 	SockAddr	raddr;			/* Remote address */
 	ProtocolVersion pversion;	/* FE/BE protocol version in use */
 	int			sversion;		/* server version, e.g. 70401 for 7.4.1 */
+	AuthRequest	areq;			/* server demanded password during auth */
 
 	/* Transient state needed while establishing connection */
 	struct addrinfo *addrlist;	/* list of possible backend addresses */
-- 
GitLab