apr-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Geoffrey Young <ge...@modperlcookbook.org>
Subject Re: apr_password_validate on win32 silently mishandles crypted hashes
Date Thu, 27 May 2004 12:34:10 GMT

> I beg your pardon, gentlemen. Would you be so kind to decide first
> between yourself whether this is a bug or not? According to Ryan it's
> not a bug, according to your comment above, Bill, it is.

I think there is a bug lurking around, at least someplace.

while I've been up most of the night, so I might not be thinking clearly, it
seems as though if someone were to move a unix-generated crypt .htpasswd
file to win32, mod_auth's call to apr_password_validate would end up simply
comparing the two values for equality.  meaning that passing the actual hash
as cleartext would succeed.  at least that's what I see when I boil down the
logic.

APU_DECLARE(apr_status_t) apr_password_validate(const char *passwd,
                                                const char *hash)
{
...
    else {
        /*
         * It's not our algorithm, so feed it to crypt() if possible.
         */
#if defined(WIN32) || defined(BEOS) || defined(NETWARE)
        apr_cpystrn(sample, passwd, sizeof(sample) - 1);
...
    return (strcmp(sample, hash) == 0) ? APR_SUCCESS : APR_EMISMATCH;
}

--Geoff

Mime
View raw message