Suppress unnecessary information upon authentication failure.

Previously a message "password size does not match" was displayed when
client authentication failed.  This could help an attacker to guess
password. Replace it just "password does not match".

Backpatch-through: v4.2

diff --git a/src/auth/pool_auth.c b/src/auth/pool_auth.c
index 42f350c5e33607ce103fa58cef824682e19ded3c..e4451ab2af3cb548e0f74f30dc0fd6d87d01822f 100644 (file)
--- a/src/auth/pool_auth.c
+++ b/src/auth/pool_auth.c
@@ -1067,7 +1067,7 @@ do_clear_text_password(POOL_CONNECTION * backend, POOL_CONNECTION * frontend, in
                if (size != backend->pwd_size)
                        ereport(ERROR,
                                        (errmsg("clear text password authentication failed"),
-                                        errdetail("password size does not match")));
+                                        errdetail("password does not match")));
 
                if (memcmp(pwd, backend->password, backend->pwd_size) != 0)
                        ereport(ERROR,