Suppress unnecessary information upon authentication failure.

Previously a message "password size does not match" was displayed when
client authentication failed.  This could help an attacker to guess
password. Replace it just "password does not match".

Backpatch-through: v4.2

diff --git a/src/auth/pool_auth.c b/src/auth/pool_auth.c
index 33d887f784917d000b3e73afb7c76270a7b59a8c..7551a567e95180287b18442a62f0f76fff0c6628 100644 (file)
--- a/src/auth/pool_auth.c
+++ b/src/auth/pool_auth.c
@@ -1067,7 +1067,7 @@ do_clear_text_password(POOL_CONNECTION * backend, POOL_CONNECTION * frontend, in
                if (size != backend->pwd_size)
                        ereport(ERROR,
                                        (errmsg("clear text password authentication failed"),
-                                        errdetail("password size does not match")));
+                                        errdetail("password does not match")));
 
                if (memcmp(pwd, backend->password, backend->pwd_size) != 0)
                        ereport(ERROR,