www-apache-bugdb mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Randy J.Ray <rj...@uswest.com>
Subject mod_auth-any/1335: mod_auth (Basic Authentication) cannot handle fields in passwd beyond the password itself.
Date Mon, 27 Oct 1997 23:55:43 GMT

>Number:         1335
>Category:       mod_auth-any
>Synopsis:       mod_auth (Basic Authentication) cannot handle fields in passwd beyond
the password itself.
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    apache
>State:          open
>Class:          sw-bug
>Submitter-Id:   apache
>Arrival-Date:   Wed Oct 29 15:50:01 PST 1997
>Last-Modified:
>Originator:     rjray@uswest.com
>Organization:
apache
>Release:        1.2.4
>Environment:
HPUX 9.04: HP-UX voodoo A.09.04 E 9000/887 427376281 8-user license
>Description:
Switching to Apache from CERN, I noticed that my password files for Basic authentication
(I have several different groups of users from different parts of the company) no longer
worked. The problem was that I used a 3-field password file, where the third field was the
user's name. CERN simply ignored any extra fields after the password, but mod_auth.c reads
up to the first ":" to test username, then returns the entire remaining record as the encrypted
password. The attached patch causes the loop in get_pw() to extract the next colon-delimited
field and return that, instead. The way getword() works, if you only have the two fields
you still get what you expect. This may not be a bug to you folks, but since some of these
files list users outside my NIS maps, I like having the names close-by so I can look up the
phone numbers if problems come up.
>How-To-Repeat:
Take any password file you have for Basic authentication and add a third colon-delimited
field to it, then try to authenticate with a valid password. I don't use DBM-based auth or
BerkeleyDB auth, so I cannot comment on whether those have the same behavior.
>Fix:
I have a patch to mod_auth.c that will fix it. Rather than attach it here, I will be glad
to e-mail it to a specific address
>Audit-Trail:
>Unformatted:


Mime
View raw message