www-apache-bugdb mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mike Hamrick <mi...@muppetlabs.com>
Subject mod_auth-any/798: mod_auth fails password checks if passwd file contains extra stuff.
Date Sun, 29 Jun 1997 02:40:02 GMT

>Number:         798
>Category:       mod_auth-any
>Synopsis:       mod_auth fails password checks if passwd file contains extra stuff.
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    apache (Apache HTTP Project)
>State:          open
>Class:          change-request
>Submitter-Id:   apache
>Arrival-Date:   Sat Jun 28 19:40:01 1997
>Originator:     mikeh@muppetlabs.com
>Organization:
apache
>Release:        1.2.0
>Environment:
SunOS test-ino 5.5.1 Generic_103640-04 sun4m sparc SUNW,SPARCstation-10
>Description:
In the function get_pw in mod_auth.c Apache attempts to grab the
password field out of the password file and return it for a given
user.  This code assumes that the password file will be formated
like "username:password" and will never contain any additional
colon seperated information.  The 'AuthUserFile' documentation does
not explicitly state that you can store anything besides a username
and a password in in the file, that's why this is a change-request
rather than a sw-bug.  It should be noted that the O'Reilly Apache
book encourages you to store extra stuff in the password file.
>How-To-Repeat:

>Fix:
*** fixed_mod_auth.c  Sat Jun 28 19:02:41 1997
--- apache_1.2.0/src/mod_auth.c Thu Apr 24 03:16:54 1997
***************
*** 128,134 ****
  
          if(!strcmp(user,w)) {
            pfclose(r->pool, f);
!           return pstrdup (r->pool, getword (r->pool, &rpw, ':'));
        }
      }
      pfclose(r->pool, f);
--- 128,134 ----
  
          if(!strcmp(user,w)) {
            pfclose(r->pool, f);
!             return pstrdup (r->pool, rpw);
        }
      }
      pfclose(r->pool, f);
%0
>Audit-Trail:
>Unformatted:



Mime
View raw message