apr-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Scott Sanders" <li...@jssjr.com>
Subject Possible bug in apr_dbd_mysql
Date Thu, 31 Jan 2008 15:36:46 GMT
Hi,

After much frustration I was able to get apr_dbd_mysql compiled and working
on my machine. However, when testing the module I believe I stumbled across
a nasty little bug. My user database was originally designed to store user
passwords as md5 hashes and not the base64 encoded SHA1 digest. To remedy
this I created a new column int he user table called pwd2 and  modified my
login routine to populate this column with the encrypted format apache's
basic auth is expecting. This requires everyone to logout and log back in to
the system, of course, but in my environment that's OK. My initial apache
config to secure this section of the site with basic auth set the
AuthDBDUserPWQuery to "SELECT pwd2 FROM users WHERE email=%s AND active=1".
This worked and prevented invalid users (and inactive users) from
authenticating, but if the pwd2 field was empty then any password would
succeed. If pwd2 was NULL then the user was rejected, and if pwd2 had a
string in it the user was rejected (excepting, of course, when pwd2 had the
proper encrypted content).

This has got to be a bug in the apr_dbd_mysql code, but I unfortunately
don't have time right now to track it down and provide a patch. To solve my
problem I changed my query to "SELECT pwd2 FROM users WHERE email=%s AND
active=1 AND pwd2 !=''" but this is an ugly hack. Where is the bugzilla to
file this?

-Scott

Mime
View raw message