You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by sf...@apache.org on 2009/10/24 14:39:42 UTC

svn commit: r829355 - /httpd/httpd/trunk/support/htpasswd.c

Author: sf
Date: Sat Oct 24 12:39:41 2009
New Revision: 829355

URL: http://svn.apache.org/viewvc?rev=829355&view=rev
Log:
Verify that password has been truncated before printing a warning.

Modified:
    httpd/httpd/trunk/support/htpasswd.c

Modified: httpd/httpd/trunk/support/htpasswd.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/support/htpasswd.c?rev=829355&r1=829354&r2=829355&view=diff
==============================================================================
--- httpd/httpd/trunk/support/htpasswd.c (original)
+++ httpd/httpd/trunk/support/htpasswd.c Sat Oct 24 12:39:41 2009
@@ -186,10 +186,6 @@
         pw = pwin;
         memset(pwv, '\0', sizeof(pwin));
     }
-    if (alg == ALG_CRYPT && strlen(pw) > 8) {
-        apr_file_printf(errfile, "Warning: Password truncated to 8 characters "
-                        "by CRYPT algorithm." NL);
-    }
     switch (alg) {
 
     case ALG_APSHA:
@@ -223,6 +219,15 @@
         salt[8] = '\0';
 
         apr_cpystrn(cpw, crypt(pw, salt), sizeof(cpw) - 1);
+        if (strlen(pw) > 8) {
+            char *truncpw = strdup(pw);
+            truncpw[8] = '\0';
+            if (!strcmp(cpw, crypt(pw, salt))) {
+                apr_file_printf(errfile, "Warning: Password truncated to 8 characters "
+                                "by CRYPT algorithm." NL);
+            }
+            free(truncpw);
+        }
         break;
 #endif
     }

Re: svn commit: r829355 - /httpd/httpd/trunk/support/htpasswd.c

Posted by Stefan Fritsch <sf...@sfritsch.de>.
On Sat, 24 Oct 2009, Ruediger Pluem wrote:
> I assume you want to do
>
> crypt(truncpw, salt)
>
> instead of
>
> crypt(pw, salt)

Absolutely :-(

Thanks.

Re: svn commit: r829355 - /httpd/httpd/trunk/support/htpasswd.c

Posted by Ruediger Pluem <rp...@apache.org>.

On 10/24/2009 02:39 PM, sf@apache.org wrote:
> Author: sf
> Date: Sat Oct 24 12:39:41 2009
> New Revision: 829355
> 
> URL: http://svn.apache.org/viewvc?rev=829355&view=rev
> Log:
> Verify that password has been truncated before printing a warning.
> 
> Modified:
>     httpd/httpd/trunk/support/htpasswd.c
> 
> Modified: httpd/httpd/trunk/support/htpasswd.c
> URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/support/htpasswd.c?rev=829355&r1=829354&r2=829355&view=diff
> ==============================================================================
> --- httpd/httpd/trunk/support/htpasswd.c (original)
> +++ httpd/httpd/trunk/support/htpasswd.c Sat Oct 24 12:39:41 2009
> @@ -186,10 +186,6 @@
>          pw = pwin;
>          memset(pwv, '\0', sizeof(pwin));
>      }
> -    if (alg == ALG_CRYPT && strlen(pw) > 8) {
> -        apr_file_printf(errfile, "Warning: Password truncated to 8 characters "
> -                        "by CRYPT algorithm." NL);
> -    }
>      switch (alg) {
>  
>      case ALG_APSHA:
> @@ -223,6 +219,15 @@
>          salt[8] = '\0';
>  
>          apr_cpystrn(cpw, crypt(pw, salt), sizeof(cpw) - 1);
> +        if (strlen(pw) > 8) {
> +            char *truncpw = strdup(pw);
> +            truncpw[8] = '\0';
> +            if (!strcmp(cpw, crypt(pw, salt))) {

I assume you want to do

crypt(truncpw, salt)

instead of

crypt(pw, salt)

> +                apr_file_printf(errfile, "Warning: Password truncated to 8 characters "
> +                                "by CRYPT algorithm." NL);
> +            }
> +            free(truncpw);
> +        }
>          break;
>  #endif
>      }
> 

Regards

RĂ¼diger