Arrange for the authentication request type to be preserved in

PGconn. Invent a new libpq connection-status function,
PQconnectionUsedPassword() that returns true if the server
demanded a password during authentication, false otherwise.
This may be useful to clients in general, but is immediately
useful to help plug a privilege escalation path in dblink.
Per list discussion and design proposed by Tom Lane.

1 files changed, 17 insertions, 1 deletions

diff --git a/src/interfaces/libpq/fe-connect.c b/src/interfaces/libpq/fe-connect.c
index 13c407d1cc1..a19b444c593 100644
--- a/src/interfaces/libpq/fe-connect.c
+++ b/src/interfaces/libpq/fe-connect.c
@@ -8,7 +8,7 @@
  *
  *
  * IDENTIFICATION
- *	  $PostgreSQL: pgsql/src/interfaces/libpq/fe-connect.c,v 1.345 2007/03/08 19:27:28 mha Exp $
+ *	  $PostgreSQL: pgsql/src/interfaces/libpq/fe-connect.c,v 1.346 2007/07/08 17:11:51 joe Exp $
  *
  *-------------------------------------------------------------------------
  */
@@ -1641,6 +1641,10 @@ keep_going:						/* We will come back to here until there is
 					return PGRES_POLLING_READING;
 				}
 
+				/* save the authentication request type */
+				if (conn->areq == AUTH_REQ_UNK)
+					conn->areq = areq;
+
 				/* Get the password salt if there is one. */
 				if (areq == AUTH_REQ_MD5)
 				{
@@ -1873,6 +1877,7 @@ makeEmptyPGconn(void)
 	conn->std_strings = false;	/* unless server says differently */
 	conn->verbosity = PQERRORS_DEFAULT;
 	conn->sock = -1;
+	conn->areq = AUTH_REQ_UNK;
 #ifdef USE_SSL
 	conn->allow_ssl_try = true;
 	conn->wait_ssl_try = false;
@@ -3441,6 +3446,17 @@ PQsetClientEncoding(PGconn *conn, const char *encoding)
 	return status;
 }
 
+bool
+PQconnectionUsedPassword(const PGconn *conn)
+{
+	if (conn->areq == AUTH_REQ_MD5 ||
+		conn->areq == AUTH_REQ_CRYPT ||
+		conn->areq == AUTH_REQ_PASSWORD)
+		return true;
+	else
+		return false;
+}
+
 PGVerbosity
 PQsetErrorVerbosity(PGconn *conn, PGVerbosity verbosity)
 {