httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rob Hartill <r...@imdb.com>
Subject 1.2B4: Stop password field of AuthUserFile at next colon (fwd)
Date Mon, 06 Jan 1997 23:13:38 GMT

I remember Dirk was playing with ":"s recently.

Where do we stand on people shooting themselves in the foot with /etc/passwd ?

.. and do we stand on their foot before or after they shoot it ?  :-)

---------- Forwarded message ----------
Date: Mon, 6 Jan 1997 16:50:19 -0500 (EST)
From: Gregory Neil Shapiro <gshapiro@wpi.edu>
To: apache-bugs@apache.org
Cc: aej@wpi.edu
Subject: 1.2B4: Stop password field of AuthUserFile at next colon

Currently, auth_mod.c separates the username and password by the first colon.
However, it sends the rest of the string (after the colon) to crypt for
password comparison.  I believe it should use the same code which
auth_mod_dbm.c uses and stop at the next colon.  That would allow sites to use
/etc/passwd for the AuthUserFile for system wide functions.  Here is a patch
to accomplish this (you'll notice the code is stolen from mod_auth_dbm.c):

*** src/mod_auth.c~     Tue Dec 24 14:10:29 1996
--- src/mod_auth.c      Mon Jan  6 16:42:09 1997
***************
*** 122,131 ****
        return NULL;
      }
      while(!(cfg_getline(l,MAX_STRING_LEN,f))) {
          if((l[0] == '#') || (!l[0])) continue;
        rpw = l;
          w = getword(r->pool, &rpw, ':');
! 
          if(!strcmp(user,w)) {
            pfclose(r->pool, f);
              return pstrdup (r->pool, rpw);
--- 122,134 ----
        return NULL;
      }
      while(!(cfg_getline(l,MAX_STRING_LEN,f))) {
+         char *colon_pw;
          if((l[0] == '#') || (!l[0])) continue;
        rpw = l;
          w = getword(r->pool, &rpw, ':');
!       /* Password is up to first : if exists */
!       colon_pw = strchr(rpw,':');
!       if (colon_pw) *colon_pw='\0';   
          if(!strcmp(user,w)) {
            pfclose(r->pool, f);
              return pstrdup (r->pool, rpw);


Mime
View raw message