Make cancel request keys longer
authorHeikki Linnakangas <heikki.linnakangas@iki.fi>
Wed, 2 Apr 2025 13:41:48 +0000 (16:41 +0300)
committerHeikki Linnakangas <heikki.linnakangas@iki.fi>
Wed, 2 Apr 2025 13:41:48 +0000 (16:41 +0300)
commita460251f0a1ac987f0225203ff9593704da0b1a9
tree009893fb5dc0e934b15abf6eabfe20fda63b3d4d
parent285613c60a7aff5daaf281c67002483b0d26e715
Make cancel request keys longer

Currently, the cancel request key is a 32-bit token, which isn't very
much entropy. If you want to cancel another session's query, you can
brute-force it. In most environments, an unauthorized cancellation of
a query isn't very serious, but it nevertheless would be nice to have
more protection from it. Hence make the key longer, to make it harder
to guess.

The longer cancellation keys are generated when using the new protocol
version 3.2. For connections using version 3.0, short 4-bytes keys are
still used.

The new longer key length is not hardcoded in the protocol anymore,
the client is expected to deal with variable length keys, up to 256
bytes. This flexibility allows e.g. a connection pooler to add more
information to the cancel key, which might be useful for finding the
connection.

Reviewed-by: Jelte Fennema-Nio <postgres@jeltef.nl>
Reviewed-by: Robert Haas <robertmhaas@gmail.com> (earlier versions)
Discussion: https://www.postgresql.org/message-id/508d0505-8b7a-4864-a681-e7e5edfe32aa@iki.fi
14 files changed:
doc/src/sgml/protocol.sgml
src/backend/storage/ipc/procsignal.c
src/backend/tcop/backend_startup.c
src/backend/tcop/postgres.c
src/backend/utils/init/globals.c
src/backend/utils/init/postinit.c
src/include/libpq/pqcomm.h
src/include/miscadmin.h
src/include/storage/procsignal.h
src/interfaces/libpq/fe-cancel.c
src/interfaces/libpq/fe-connect.c
src/interfaces/libpq/fe-protocol3.c
src/interfaces/libpq/libpq-int.h
src/test/modules/libpq_pipeline/t/001_libpq_pipeline.pl