From bc0d9ca49d7afabcbfc8e000a40075a9fac1adf6 Mon Sep 17 00:00:00 2001
From: Tatsuo Ishii <ishii@postgresql.org>
Date: Sat, 17 May 2025 15:24:23 +0900
Subject: [PATCH] Suppress unnecessary information upon authentication failure.

Previously a message "password size does not match" was displayed when
client authentication failed.  This could help an attacker to guess
password. Replace it just "password does not match".

Backpatch-through: v4.2
---
 src/auth/pool_auth.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/auth/pool_auth.c b/src/auth/pool_auth.c
index 33d887f78..7551a567e 100644
--- a/src/auth/pool_auth.c
+++ b/src/auth/pool_auth.c
@@ -1067,7 +1067,7 @@ do_clear_text_password(POOL_CONNECTION * backend, POOL_CONNECTION * frontend, in
 		if (size != backend->pwd_size)
 			ereport(ERROR,
 					(errmsg("clear text password authentication failed"),
-					 errdetail("password size does not match")));
+					 errdetail("password does not match")));
 
 		if (memcmp(pwd, backend->password, backend->pwd_size) != 0)
 			ereport(ERROR,
-- 
2.39.5