apr-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stas Bekman <s...@stason.org>
Subject Re: apr_password_validate on win32 silently mishandles crypted hashes
Date Thu, 27 May 2004 18:53:13 GMT
rbb@rkbloom.net wrote:
>>I think there is still a remaining problem. You said that this clear-text
>>matching is special to windows, but it's not true, as the code goes:
>>#if defined(WIN32) || defined(BEOS) || defined(NETWARE)
>>         apr_cpystrn(sample, passwd, sizeof(sample) - 1);
>>Are you sure, this is not copy-n-paste bug? An inline comment would have made
>>it clear.
> I'm positive it isn't a copy-n-paste bug.  It is me suffering from my
> standard problem of not being 100% clear.  I was generalizing to Windows,
> because Windows is the first platform to have suffered from this problem,
> the rest of the platforms came later, and I don't generally think of them.
> However, the htpasswd docs do clearly state netware.

OK, but you realize that chances are very little that someone will go look for 
htpasswd to figure out whey apr_password_validate does things in a certain 
way. And I couldn't have guessed that while you talked about win32, it was 
also relevant to other platforms.

Just trying to save you and others the wasted time in the future, since I'm 
certain I'm not the last person to ask that question :)

Anyways, it's clear to me now, so I'll go and work to find some new bugs to 
report. :)

Stas Bekman            JAm_pH ------> Just Another mod_perl Hacker
http://stason.org/     mod_perl Guide ---> http://perl.apache.org
mailto:stas@stason.org http://use.perl.org http://apacheweek.com
http://modperlbook.org http://apache.org   http://ticketmaster.com

View raw message