httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From n..@apache.org
Subject svn commit: r487905 - in /httpd/httpd/branches/2.2.x/docs/manual/programs: htdigest.xml htpasswd.xml
Date Sat, 16 Dec 2006 22:01:53 GMT
Author: niq
Date: Sat Dec 16 14:01:53 2006
New Revision: 487905

URL: http://svn.apache.org/viewvc?view=rev&rev=487905
Log:
PR#40950: backport security note to htpasswd/htdigest docs.

Modified:
    httpd/httpd/branches/2.2.x/docs/manual/programs/htdigest.xml
    httpd/httpd/branches/2.2.x/docs/manual/programs/htpasswd.xml

Modified: httpd/httpd/branches/2.2.x/docs/manual/programs/htdigest.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/docs/manual/programs/htdigest.xml?view=diff&rev=487905&r1=487904&r2=487905
==============================================================================
--- httpd/httpd/branches/2.2.x/docs/manual/programs/htdigest.xml (original)
+++ httpd/httpd/branches/2.2.x/docs/manual/programs/htdigest.xml Sat Dec 16 14:01:53 2006
@@ -66,4 +66,9 @@
     </dl>
 </section>
 
+<section id="security"><title>Security Considerations</title>
+    <p>This program is not safe as a setuid executable. Do <em>not</em>
make it
+    setuid.</p>
+</section>
+
 </manualpage>

Modified: httpd/httpd/branches/2.2.x/docs/manual/programs/htpasswd.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/docs/manual/programs/htpasswd.xml?view=diff&rev=487905&r1=487904&r2=487905
==============================================================================
--- httpd/httpd/branches/2.2.x/docs/manual/programs/htpasswd.xml (original)
+++ httpd/httpd/branches/2.2.x/docs/manual/programs/htpasswd.xml Sat Dec 16 14:01:53 2006
@@ -188,8 +188,20 @@
     <em>not</em> be within the Web server's URI space -- that is, they should
     not be fetchable with a browser.</p>
 
+    <p>This program is not safe as a setuid executable. Do <em>not</em>
make it
+    setuid.</p>
+
     <p>The use of the <code>-b</code> option is discouraged, since when
it is
     used the unencrypted password appears on the command line.</p>
+
+    <p>When using the <code>crypt()</code> algorithm, note that only the
first
+    8 characters of the password are used  to form the password. If the supplied
+    password is longer, the extra characters will be silently discarded.</p>
+
+    <p>The SHA encryption format does not use salting: for a given password,
+    there is only one encrypted representation. The <code>crypt()</code> and
+    MD5 formats permute the representation by prepending a random salt string,
+    to make dictionary attacks against the passwords more difficult.</p>
 </section>
 
 <section id="restrictions"><title>Restrictions</title>



Mime
View raw message