httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Martin Kraemer <mar...@apache.org>
Subject [PATCH] Document the 8-byte crypt() restriction
Date Mon, 17 Jan 2005 09:56:37 GMT
As we all know, standard DES crypt() uses only 8 characters of the
password passed to it.  Alas, many people trip over this and expect
a long password to give them better protection. (We got security
reports for this already).

However, there are implementations which provide a concatenation of
several 8-byte-blocks. Do they still use the crypt() API? If not,
then I would propose to add one (or both) of the two attached patches:

<<htpasswd.c.diff>>: 
  Add an error exit to htpasswd which bails with ERR_OVERFLOW if the
  password is too long for crypt() -- a similar exit is taken if the
  password is too long for other reasons, e.g., because it was given on
  the command line but exceeded 8kB in size.

<<htpasswd.xml.diff>>:
  Document the restrictions implied by using DES crypt()


Comments?

  Martin
-- 
<Martin.Kraemer@Fujitsu-Siemens.com>         |     Fujitsu Siemens
Fon: +49-89-636-46021, FAX: +49-89-636-47655 | 81730  Munich,  Germany

Mime
View raw message