You are viewing a plain text version of this content. The canonical link for it is here.

Posted to apache-bugdb@apache.org by Scott Tadman <ta...@martinet.com> on 1997/07/02 21:40:02 UTC

other/818: mod_auth doesn't parse /etc/passwd properly (feature?)

>Number:         818
>Category:       other
>Synopsis:       mod_auth doesn't parse /etc/passwd properly (feature?)
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    apache (Apache HTTP Project)
>State:          open
>Class:          sw-bug
>Submitter-Id:   apache
>Arrival-Date:   Wed Jul  2 12:40:01 1997
>Originator:     tadman@martinet.com
>Organization:
apache
>Release:        1.2.0
>Environment:
Linux, gcc 2.7.2.1 or whatever.
>Description:
mod_auth doesn't parse /etc/passwd properly. Here's a quick patch which
makes the mod_auth program parse it, regardless of moral implications.
Tested to be effective, only when not using shadowed passwords.
>How-To-Repeat:
--begin .htaccess--
AuthUserFile /etc/passwd
AuthName Protected
AuthType Basic

<Limit GET>
require valid-user
</Limit>
--end--
>Fix:
--begin mod_auth.patch--
*** mod_auth.c.orig     Wed Jul  2 09:33:29 1997
--- mod_auth.c  Wed Jul  2 09:37:09 1997
***************
*** 117,122 ****
--- 117,125 ----
      char l[MAX_STRING_LEN];
      const char *rpw, *w;

+     /* Pointer used to ignore extra fields in password file */
+     char *c;
+
      if(!(f=pfopen(r->pool, auth_pwfile, "r"))) {
          log_reason ("Could not open password file", auth_pwfile, r);
        return NULL;
***************
*** 125,130 ****
--- 128,137 ----
          if((l[0] == '#') || (!l[0])) continue;
        rpw = l;
          w = getword(r->pool, &rpw, ':');
+
+       /* If there is a colon at the end of this field... */
+       if (c = strchr (rpw, ':'))
+           *c = 0;  /* ...replace it with a NULL. */

          if(!strcmp(user,w)) {
            pfclose(r->pool, f);
--end-
>Audit-Trail:
>Unformatted: