You are viewing a plain text version of this content. The canonical link for it is here.
Posted to apache-bugdb@apache.org by Scott Tadman <ta...@martinet.com> on 1997/07/02 21:40:02 UTC
other/818: mod_auth doesn't parse /etc/passwd properly (feature?)
>Number: 818
>Category: other
>Synopsis: mod_auth doesn't parse /etc/passwd properly (feature?)
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: apache (Apache HTTP Project)
>State: open
>Class: sw-bug
>Submitter-Id: apache
>Arrival-Date: Wed Jul 2 12:40:01 1997
>Originator: tadman@martinet.com
>Organization:
apache
>Release: 1.2.0
>Environment:
Linux, gcc 2.7.2.1 or whatever.
>Description:
mod_auth doesn't parse /etc/passwd properly. Here's a quick patch which
makes the mod_auth program parse it, regardless of moral implications.
Tested to be effective, only when not using shadowed passwords.
>How-To-Repeat:
--begin .htaccess--
AuthUserFile /etc/passwd
AuthName Protected
AuthType Basic
<Limit GET>
require valid-user
</Limit>
--end--
>Fix:
--begin mod_auth.patch--
*** mod_auth.c.orig Wed Jul 2 09:33:29 1997
--- mod_auth.c Wed Jul 2 09:37:09 1997
***************
*** 117,122 ****
--- 117,125 ----
char l[MAX_STRING_LEN];
const char *rpw, *w;
+ /* Pointer used to ignore extra fields in password file */
+ char *c;
+
if(!(f=pfopen(r->pool, auth_pwfile, "r"))) {
log_reason ("Could not open password file", auth_pwfile, r);
return NULL;
***************
*** 125,130 ****
--- 128,137 ----
if((l[0] == '#') || (!l[0])) continue;
rpw = l;
w = getword(r->pool, &rpw, ':');
+
+ /* If there is a colon at the end of this field... */
+ if (c = strchr (rpw, ':'))
+ *c = 0; /* ...replace it with a NULL. */
if(!strcmp(user,w)) {
pfclose(r->pool, f);
--end-
>Audit-Trail:
>Unformatted: