Fix handling of non-ASCII passwords

Fixes: #1018
MagicStack · Aug 15, 2023 · 474dd78 · 474dd78
1 parent 511aeb2
commit 474dd78
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 14 deletions.
diff --git a/asyncpg/protocol/coreproto.pyx b/asyncpg/protocol/coreproto.pyx
@@ -634,7 +634,7 @@ cdef class CoreProtocol:
             WriteBuffer msg
 
         msg = WriteBuffer.new_message(b'p')
-        msg.write_bytestring(self.password.encode('ascii'))
+        msg.write_bytestring(self.password.encode('utf-8'))
         msg.end_message()
 
         return msg
@@ -646,7 +646,7 @@ cdef class CoreProtocol:
         msg = WriteBuffer.new_message(b'p')
 
         # 'md5' + md5(md5(password + username) + salt))
-        userpass = ((self.password or '') + (self.user or '')).encode('ascii')
+        userpass = ((self.password or '') + (self.user or '')).encode('utf-8')
         hash = hashlib.md5(hashlib.md5(userpass).hexdigest().\
                 encode('ascii') + salt).hexdigest().encode('ascii')
 

diff --git a/tests/test_connect.py b/tests/test_connect.py
@@ -117,6 +117,9 @@ def test_server_version_02(self):
             self.assertEqual(expected, result)
 
 
+CORRECT_PASSWORD = 'correct\u1680password'
+
+
 class TestAuthentication(tb.ConnectedTestCase):
     def setUp(self):
         super().setUp()
@@ -127,9 +130,9 @@ def setUp(self):
         methods = [
             ('trust', None),
             ('reject', None),
-            ('scram-sha-256', 'correctpassword'),
-            ('md5', 'correctpassword'),
-            ('password', 'correctpassword'),
+            ('scram-sha-256', CORRECT_PASSWORD),
+            ('md5', CORRECT_PASSWORD),
+            ('password', CORRECT_PASSWORD),
         ]
 
         self.cluster.reset_hba()
@@ -151,7 +154,7 @@ def setUp(self):
             create_script.append(
                 'CREATE ROLE {}_user WITH LOGIN{};'.format(
                     username,
-                    ' PASSWORD {!r}'.format(password) if password else ''
+                    f' PASSWORD E{(password or "")!r}'
                 )
             )
 
@@ -241,7 +244,7 @@ async def test_auth_reject(self):
     async def test_auth_password_cleartext(self):
         conn = await self.connect(
             user='password_user',
-            password='correctpassword')
+            password=CORRECT_PASSWORD)
         await conn.close()
 
         with self.assertRaisesRegex(
@@ -253,7 +256,7 @@ async def test_auth_password_cleartext(self):
 
     async def test_auth_password_cleartext_callable(self):
         def get_correctpassword():
-            return 'correctpassword'
+            return CORRECT_PASSWORD
 
         def get_wrongpassword():
             return 'wrongpassword'
@@ -272,7 +275,7 @@ def get_wrongpassword():
 
     async def test_auth_password_cleartext_callable_coroutine(self):
         async def get_correctpassword():
-            return 'correctpassword'
+            return CORRECT_PASSWORD
 
         async def get_wrongpassword():
             return 'wrongpassword'
@@ -291,7 +294,7 @@ async def get_wrongpassword():
 
     async def test_auth_password_cleartext_callable_awaitable(self):
         async def get_correctpassword():
-            return 'correctpassword'
+            return CORRECT_PASSWORD
 
         async def get_wrongpassword():
             return 'wrongpassword'
@@ -310,7 +313,7 @@ async def get_wrongpassword():
 
     async def test_auth_password_md5(self):
         conn = await self.connect(
-            user='md5_user', password='correctpassword')
+            user='md5_user', password=CORRECT_PASSWORD)
         await conn.close()
 
         with self.assertRaisesRegex(
@@ -325,7 +328,7 @@ async def test_auth_password_scram_sha_256(self):
             return
 
         conn = await self.connect(
-            user='scram_sha_256_user', password='correctpassword')
+            user='scram_sha_256_user', password=CORRECT_PASSWORD)
         await conn.close()
 
         with self.assertRaisesRegex(
@@ -362,7 +365,7 @@ async def test_auth_password_scram_sha_256(self):
             await conn.close()
 
         alter_password = \
-            "ALTER ROLE scram_sha_256_user PASSWORD 'correctpassword';"
+            f"ALTER ROLE scram_sha_256_user PASSWORD E{CORRECT_PASSWORD!r};"
         await self.con.execute(alter_password)
         await self.con.execute("SET password_encryption = 'md5';")
 
@@ -372,7 +375,7 @@ async def test_auth_md5_unsupported(self, _):
             exceptions.InternalClientError,
             ".*no md5.*",
         ):
-            await self.connect(user='md5_user', password='correctpassword')
+            await self.connect(user='md5_user', password=CORRECT_PASSWORD)
 
 
 class TestConnectParams(tb.TestCase):