Skip to content

Wrong error message on login if the user doesn't exist and WireCrypt is disabled #7723

Closed
Closed
Wrong error message on login if the user doesn't exist and WireCrypt is disabled#7723
Assignees
AlexPeshkoff
Labels
affect-version: 4.0.3affect-version: 5.0 Beta 1fix-version: 4.0.4fix-version: 5.0 RC 1qa: done successfullytype: bug
@aafemt

Description

@aafemt
aafemt
opened on Aug 25, 2023

If WireCrypt is disabled an attempt to attach with non-existing user returns isc_login_error instead of isc_login.

Two problems here:

  1. It leaks security information about user existence.
  2. Some client code explicitly expect isc_login to be returned.
Use CONNECT or CREATE DATABASE to specify a database
SQL> connect localhost:atest user aaaa password 'bbb';
Statement failed, SQLSTATE = 08006
Error occurred during login, please check server firebird.log for details
SQL> connect localhost:atest user abc password 'bbb';
Statement failed, SQLSTATE = 28000
Your user name and password are not defined. Ask your database administrator to set up a Firebird login.
SQL> connect localhost:atest user abc password 'def';
Database: localhost:atest, User: ABC

Metadata

Metadata

Assignees

Labels

affect-version: 4.0.3affect-version: 5.0 Beta 1fix-version: 4.0.4fix-version: 5.0 RC 1qa: done successfullytype: bug

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions