You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2013/03/20 21:24:51 UTC
[Bug 54735] New: htpasswd creates wrong passfile
https://issues.apache.org/bugzilla/show_bug.cgi?id=54735
Bug ID: 54735
Summary: htpasswd creates wrong passfile
Product: Apache httpd-2
Version: 2.4.4
Hardware: PC
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: support
Assignee: bugs@httpd.apache.org
Reporter: darklight2k2@libero.it
Classification: Unclassified
Found on
OS debian lenny or Ubuntu 12.04
pcre 8.32
php 5.4.13
apr 1.4.6
apr-utils 1.5.1
htpasswd -c username
never generates a correct hashed password.
htpasswd -nb username pass > conf/htpasswd
has to be used instead.
Tested with md5 and plain password, even last one are not created correctly.
Of course autentication fails with first method and works with second one.
Feel free to contact me if you need further informations.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 54735] htpasswd creates wrong passfile
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=54735
Stefan Fritsch <sf...@sfritsch.de> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |dclarke@blastwave.org
--- Comment #11 from Stefan Fritsch <sf...@sfritsch.de> ---
*** Bug 55086 has been marked as a duplicate of this bug. ***
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 54735] htpasswd creates wrong passfile
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=54735
--- Comment #8 from MadMaverick9 <as...@meinkino.ch> ---
> BTW, it's rather fascinating that the buggy variant worked for me. It looks like the password was on the right place on the stack on my system.
I wonder if that has something to do with different versions of gcc maybe. I am
using "gcc 4.7.1" on a default Slackware 14.0 install.
Would it be possible to apply this patch to the "2.4.x" branch? So that the fix
would be included in a future httpd 2.4.5 release.
Thank you very much for your work.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 54735] htpasswd creates wrong passfile
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=54735
Ronni <th...@gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |theronni@gmail.com
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 54735] htpasswd creates wrong passfile
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=54735
--- Comment #15 from Dennis Clarke <dc...@blastwave.org> ---
I applied that patch, did a re-make and sure enough I have a few new files :
node002$ find . -newer $SRC/2.4-htpass.patch -ls
2279859 13 drwxr-xr-x 12 dclarke other 52 Jun 10 17:52 .
2279897 5 drwxr-xr-x 5 dclarke other 102 Jun 10 17:52 ./support
1139900 1 -rw-r--r-- 1 dclarke other 272 Jun 10 17:52
./support/passwd_common.lo
1139897 1 -rw-r--r-- 1 dclarke other 262 Jun 10 17:52
./support/htpasswd.lo
1139890 9 -rw-r--r-- 1 dclarke other 16495 Jun 10 17:48
./support/htpasswd.c
1139888 5 -rw-r--r-- 1 dclarke other 8147 Jun 10 17:48
./support/htdigest.c
1139905 18 -rw-r--r-- 1 dclarke other 41200 Jun 10 17:52
./support/htdbm.o
1139899 14 -rw-r--r-- 1 dclarke other 28984 Jun 10 17:52
./support/passwd_common.o
1139906 1 -rw-r--r-- 1 dclarke other 256 Jun 10 17:52
./support/htdbm.lo
2283202 28 -rwxr-xr-x 1 dclarke other 57176 Jun 10 17:52
./support/htpasswd
2283210 29 -rwxr-xr-x 1 dclarke other 59912 Jun 10 17:52
./support/htdbm
1139889 3 -rw-r--r-- 1 dclarke other 2908 Jun 10 17:48
./support/passwd_common.h
2283206 15 -rwxr-xr-x 1 dclarke other 30040 Jun 10 17:52
./support/htdigest
1139903 1 -rw-r--r-- 1 dclarke other 262 Jun 10 17:52
./support/htdigest.lo
1139896 17 -rw-r--r-- 1 dclarke other 36864 Jun 10 17:52
./support/htpasswd.o
1139902 13 -rw-r--r-- 1 dclarke other 28056 Jun 10 17:52
./support/htdigest.o
1139886 8 -rw-r--r-- 1 dclarke other 14325 Jun 10 17:48
./support/htdbm.c
1139887 6 -rw-r--r-- 1 dclarke other 10009 Jun 10 17:48
./support/passwd_common.c
node002$
node002$
node002$ file ./support/htpasswd ./support/htdbm ./support/passwd_common.h
./support/htdigest
./support/htpasswd: ELF 64-bit MSB executable SPARCV9 Version 1, UltraSPARC3
Extensions Required, dynamically linked, not stripped
./support/htdbm: ELF 64-bit MSB executable SPARCV9 Version 1, UltraSPARC3
Extensions Required, dynamically linked, not stripped
./support/passwd_common.h: ascii text
./support/htdigest: ELF 64-bit MSB executable SPARCV9 Version 1, UltraSPARC3
Extensions Required, dynamically linked, not stripped
node002$
That header file seems to live in the build tree and never needs to be
installed
in the $DESTDIR/include so I will leave that behind.
I backup the existing buggy bins :
node002$ cp -p /usr/local/bin/htdbm /usr/local/bin/htdbm_bug54735
node002$ cp -p /usr/local/bin/htdigest /usr/local/bin/htdigest_bug54735
node002$ cp -p /usr/local/bin/htpasswd /usr/local/bin/htpasswd_bug54735
drop in the new bins :
node002-sparc-SunOS5.10 # cp -p ./support/htpasswd /usr/local/bin/htpasswd
node002-sparc-SunOS5.10 # cp -p ./support/htdbm /usr/local/bin/htdbm
node002-sparc-SunOS5.10 # cp -p ./support/htdigest /usr/local/bin/htdigest
node002-sparc-SunOS5.10 # chown root:root /usr/local/bin/htpasswd
/usr/local/bin/htdbm /usr/local/bin/htdigest
node002-sparc-SunOS5.10 # ls -lap /usr/local/bin/htpasswd /usr/local/bin/htdbm
/usr/local/bin/htdigest
-rwxr-xr-x 1 root root 59912 Jun 10 17:52 /usr/local/bin/htdbm
-rwxr-xr-x 1 root root 30040 Jun 10 17:52 /usr/local/bin/htdigest
-rwxr-xr-x 1 root root 57176 Jun 10 17:52 /usr/local/bin/htpasswd
quick and dirty test :
node002-sparc-SunOS5.10 # /usr/local/bin/htpasswd /usr/local/www/conf/.htpasswd
bug54735test
New password:
Re-type new password:
Adding password for user bug54735test
node002-sparc-SunOS5.10 # grep bug54735test .htpasswd
bug54735test:$apr1$mBhdHE3M$AmZp9nuLI9DC7D.H7OO.51
first test works like a charm :
node002-sparc-SunOS5.10 # grep bug54735test
/usr/local/www/var/logs/ssl_request_log
xxx.xxx.52.207 - bug54735test [10/Jun/2013:18:10:02 +0000] "GET /foo.php
HTTP/1.1" 200 75883 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:17.0)
Gecko/20130515 Firefox/17.0 Iceweasel/17.0.6"
looks to be a good patch, however I will keep our internal bug report open
until 2.4.5 releases,
for now I would say that there is no need for a triage or validation phase
because the core
services have not been touched and thus this is a great little patch. Already
rolled those
bins out to a collection of servers.
I give thanks and praise to those involved and am a very happy user!
Dennis
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 54735] htpasswd creates wrong passfile
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=54735
--- Comment #16 from Jackie Rosen <ja...@hushmail.com> ---
*** Bug 260998 has been marked as a duplicate of this bug. ***
Seen from the domain http://volichat.com
Page where seen: http://volichat.com/adult-chat-rooms
Marked for reference. Resolved as fixed @bugzilla.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 54735] htpasswd creates wrong passfile
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=54735
--- Comment #5 from asfbugzilla@meinkino.ch ---
Created attachment 30123
--> https://issues.apache.org/bugzilla/attachment.cgi?id=30123&action=edit
Patch for "httpd-2.4.4/support/passwd_common.c".
Even though this patch fixes the problem at hand, the "get_password" function
in "httpd-2.4.4/support/passwd_common.c" really should not put the password
into "ctx->out", but into "ctx->passwd".
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 54735] htpasswd creates wrong passfile
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=54735
Frank Tobin <ft...@neverending.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |ftobin@neverending.org
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 54735] htpasswd creates wrong passfile
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=54735
Stefan Fritsch <sf...@sfritsch.de> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |NEEDINFO
--- Comment #1 from Stefan Fritsch <sf...@sfritsch.de> ---
(In reply to comment #0)
> htpasswd -c username
That's not a valid command line. You mean
htpasswd -c conf/htpasswd username
? But this works for me. Can you post the contents of the created file?
> never generates a correct hashed password.
> htpasswd -nb username pass > conf/htpasswd
> has to be used instead.
> Tested with md5 and plain password, even last one are not created correctly.
> Of course autentication fails with first method and works with second one.
Plain passwords do not work under Unix (as hinted by the help text).
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 54735] htpasswd creates wrong passfile
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=54735
Maxime <ma...@unite.re> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC|maxime@unite.re |
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 54735] htpasswd creates wrong passfile
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=54735
Marco <da...@libero.it> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEEDINFO |NEW
--- Comment #2 from Marco <da...@libero.it> ---
password used is "test"
/usr/local/apache2/conf# ../bin/htpasswd -c testpasswdfile username
New password:
Re-type new password:
Adding password for user username
/usr/local/apache2/conf# cat testpasswdfile
username:$apr1$GvGApC2k$aW7v79G7y8ElbO/ZjoAOz1
/usr/local/apache2/conf# ./bin/htpasswd -cp testpasswdfile username
Warning: storing passwords as plain text might just not work on this platform.
New password:
Re-type new password:
Adding password for user username
/usr/local/apache2/conf# cat testpasswdfile
username:P%m6�
/usr/local/apache2/conf# ../bin/htpasswd -bnp username test
Warning: storing passwords as plain text might just not work on this platform.
username:test
Yes sorry about the wrong commandline. What i meant about plain password was
that even those plain aren't created correctly when prompted. Although it might
not work as the tool says, it should anyway write a correct file.
I provide you more hashes
username:$apr1$QnVANHT3$hMtF7Eu1pFw0KAWSROiOy. < test used as password
username:$apr1$UNe/gu.y$u.0Y03o4WbpCNTQe8n5tV0 < test used as password
username:$apr1$1gG7fHEq$/EVL3lXjfQ/fazeoiloDw1 < notworking used as password
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 54735] htpasswd creates wrong passfile
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=54735
--- Comment #3 from Marco <da...@libero.it> ---
../bin/httpd -V
Server version: Apache/2.4.4 (Unix)
Server built: Mar 20 2013 08:27:18
Server's Module Magic Number: 20120211:11
Server loaded: APR 1.4.6, APR-UTIL 1.5.1
Compiled using: APR 1.4.6, APR-UTIL 1.5.1
Architecture: 64-bit
Server MPM: event
threaded: yes (fixed thread count)
forked: yes (variable process count)
Server compiled with....
-D APR_HAS_SENDFILE
-D APR_HAS_MMAP
-D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
-D APR_USE_SYSVSEM_SERIALIZE
-D APR_USE_PTHREAD_SERIALIZE
-D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
-D APR_HAS_OTHER_CHILD
-D AP_HAVE_RELIABLE_PIPED_LOGS
-D DYNAMIC_MODULE_LIMIT=256
-D HTTPD_ROOT="/usr/local/apache2"
-D SUEXEC_BIN="/usr/local/apache2/bin/suexec"
-D DEFAULT_PIDLOG="logs/httpd.pid"
-D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
-D DEFAULT_ERRORLOG="logs/error_log"
-D AP_TYPES_CONFIG_FILE="conf/mime.types"
-D SERVER_CONFIG_FILE="conf/httpd.conf"
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 54735] htpasswd creates wrong passfile
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=54735
--- Comment #4 from asfbugzilla@meinkino.ch ---
As far as I can tell this is caused by a bug in
"httpd-2.4.4/support/passwd_common.c". I created the following patch and it
works again.
diff -ur httpd-2.4.4-orig/support/passwd_common.c
httpd-2.4.4/support/passwd_common.c
--- httpd-2.4.4-orig/support/passwd_common.c 2012-12-11 17:37:25.000000000
+0700
+++ httpd-2.4.4/support/passwd_common.c 2013-03-17 13:33:58.429462196 +0700
@@ -146,7 +146,6 @@
int mkhash(struct passwd_ctx *ctx)
{
char *pw;
- char pwin[MAX_STRING_LEN];
char salt[16];
apr_status_t rv;
int ret = 0;
@@ -165,7 +164,7 @@
else {
if ((ret = get_password(ctx)) != 0)
return ret;
- pw = pwin;
+ pw = strdup(ctx->out);
}
switch (ctx->alg) {
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 54735] htpasswd creates wrong passfile
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=54735
--- Comment #7 from Stefan Fritsch <sf...@sfritsch.de> ---
BTW, it's rather fascinating that the buggy variant worked for me. It looks
like the password was on the right place on the stack on my system.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 54735] htpasswd creates wrong passfile
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=54735
Stefan Fritsch <sf...@sfritsch.de> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |REOPENED
Resolution|FIXED |---
--- Comment #12 from Stefan Fritsch <sf...@sfritsch.de> ---
Reopening until 2.4.5 is actually released. Hopefully this makes it easier to
find this PR.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 54735] htpasswd creates wrong passfile
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=54735
--- Comment #13 from Dennis Clarke <dc...@blastwave.org> ---
I apologize for the dup 55086. I should have really scanned for
the existing bug reports better.
However I have the very real problem that I am running Apache 2.4.4
on Solaris and in production so this is a bit of a problem for me.
I am able, as seen in my duplicate bug report, to create and update
users in the password file while using the -b "batch" option. That
seems to work well. For now.
When should we expect, and you knew I was about to ask, the release
of 2.4.5 ?
Is there a neatly isolated patch as well as a manner to build just
the htpasswd binary ? I don't think it should be necessary to
compile all of Apache from ground zero just to get this one binary.
At least, I sure hope not. I have a very stable 2.4.4 now and the
performance on the Niagara class Oracle servers is just magnificent
and I really don't want to enter a thirty day testing phase and
validation phase just to get htpasswd working as expected. Hope I
don't seem to whine here but a stable httpd 2.4.4 exists now and it
was not trivial for me to get it into real world production for my
users.
Dennis
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 54735] htpasswd creates wrong passfile
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=54735
Graham Leggett <mi...@sharp.fm> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |FIXED
--- Comment #9 from Graham Leggett <mi...@sharp.fm> ---
Backported to v2.4.5.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 54735] htpasswd creates wrong passfile
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=54735
Eric Covener <co...@gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |maxime@unite.re
--- Comment #10 from Eric Covener <co...@gmail.com> ---
*** Bug 54927 has been marked as a duplicate of this bug. ***
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 54735] htpasswd creates wrong passfile
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=54735
Stefan Fritsch <sf...@sfritsch.de> changed:
What |Removed |Added
----------------------------------------------------------------------------
Keywords| |FixedInTrunk
--- Comment #6 from Stefan Fritsch <sf...@sfritsch.de> ---
Thanks for debugging this. Trunk commit: r1465115
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 54735] htpasswd creates wrong passfile
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=54735
MadMaverick9 <as...@meinkino.ch> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |asfbugzilla@meinkino.ch
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 54735] htpasswd creates wrong passfile
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=54735
Rainer Jung <ra...@kippdata.de> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|REOPENED |RESOLVED
Resolution|--- |FIXED
--- Comment #14 from Rainer Jung <ra...@kippdata.de> ---
(In reply to Dennis Clarke from comment #13)
> Is there a neatly isolated patch as well as a manner to build just
> the htpasswd binary ?
Patch
http://people.apache.org/~rjung/patches/2.4-htpass.patch
should apply cleanly on top of a 2.4.4 source tree.
It contains revisions
svn.apache.org/r1455225
svn.apache.org/r1476089
svn.apache.org/r1467978
svn.apache.org/r1476674
svn.apache.org/r1477651
svn.apache.org/r1490564
and fixes at least PRs 53690, 54345, 54346, 54735 and 54893.
If you use your old 2.4.4 build directory and apply the patch, a "make" should
simply rebuild
- htpasswd
- htdbm
- htdigest
Concerning 2.4.5 there is no fixed date yet, although there were some
discussions to cut the release soon. Don't plan for it in the next days though.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org