Return-Path: Delivered-To: apmail-httpd-dev-archive@www.apache.org Received: (qmail 70387 invoked from network); 9 Nov 2003 19:42:17 -0000 Received: from daedalus.apache.org (HELO mail.apache.org) (208.185.179.12) by minotaur-2.apache.org with SMTP; 9 Nov 2003 19:42:17 -0000 Received: (qmail 40739 invoked by uid 500); 9 Nov 2003 19:42:02 -0000 Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 40689 invoked by uid 500); 9 Nov 2003 19:42:02 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: list-post: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 40675 invoked from network); 9 Nov 2003 19:42:02 -0000 Received: from unknown (HELO suntzu.lyra.org) (198.144.203.208) by daedalus.apache.org with SMTP; 9 Nov 2003 19:42:02 -0000 Received: (from gstein@localhost) by suntzu.lyra.org (8.11.6/8.11.6) id hA9Jf7S31825 for dev@httpd.apache.org; Sun, 9 Nov 2003 11:41:07 -0800 X-Authentication-Warning: suntzu.lyra.org: gstein set sender to gstein@lyra.org using -f Date: Sun, 9 Nov 2003 11:41:07 -0800 From: Greg Stein To: dev@httpd.apache.org Subject: Re: cvs commit: httpd-2.0/modules/aaa mod_authn_anon.c Message-ID: <20031109114107.A31642@lyra.org> Mail-Followup-To: dev@httpd.apache.org References: <20031109180226.48572.qmail@minotaur.apache.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20031109180226.48572.qmail@minotaur.apache.org>; from nd@apache.org on Sun, Nov 09, 2003 at 06:02:26PM -0000 X-URL: http://www.lyra.org/greg/ X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N X-Spam-Rating: minotaur-2.apache.org 1.6.2 0/1000/N On Sun, Nov 09, 2003 at 06:02:26PM -0000, nd@apache.org wrote: >... > +++ mod_authn_anon.c 9 Nov 2003 18:02:26 -0000 1.4 >... > - /* Is username is OK and password been filled out (if required) */ > - if ((res == AUTH_USER_FOUND) && ((!conf->mustemail) || strlen(sent_pw)) && > - /* does the password look like an email address ? */ > - ((!conf->verifyemail) || > - ((strpbrk("@", sent_pw) != NULL) && > - (strpbrk(".", sent_pw) != NULL)))) { > + if ( (res == AUTH_USER_FOUND) > + && (!conf->mustemail || *sent_pw) > + && ( !conf->verifyemail > + || (ap_strchr_c(sent_pw, '@') && ap_strchr_c(sent_pw, '.')))) > + { That's a rather complicated "if" statement, and you removed the comment. I'd ask that you leave a comment in there to provide a human-readable version of that condition. > if (conf->logemail && ap_is_initial_req(r)) { > ap_log_rerror(APLOG_MARK, APLOG_INFO, APR_SUCCESS, r, > - "Anonymous: Passwd <%s> Accepted", > - sent_pw ? sent_pw : "\'none\'"); > + "Anonymous: Passwd <%s> Accepted", > + sent_pw ? sent_pw : "\'none\'"); > } Hmm. This is taking input from the request and dropping it right into the log. I don't recall what our policy is around there. Do we need to escape it in any way? (e.g. remove newlines) Cheers, -g -- Greg Stein, http://www.lyra.org/