You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by sf...@apache.org on 2012/07/03 21:41:33 UTC
svn commit: r1356887 - in /httpd/httpd/branches/2.4.x: ./ CHANGES STATUS
support/htdbm.c support/htpasswd.c
Author: sf
Date: Tue Jul 3 19:41:32 2012
New Revision: 1356887
URL: http://svn.apache.org/viewvc?rev=1356887&view=rev
Log:
Merge r1346905:
htdbm/htpasswd: fix handling of crypt() failures.
Reviewed by: jorton, covener, sf
Modified:
httpd/httpd/branches/2.4.x/ (props changed)
httpd/httpd/branches/2.4.x/CHANGES
httpd/httpd/branches/2.4.x/STATUS
httpd/httpd/branches/2.4.x/support/htdbm.c
httpd/httpd/branches/2.4.x/support/htpasswd.c
Propchange: httpd/httpd/branches/2.4.x/
------------------------------------------------------------------------------
Merged /httpd/httpd/trunk:r1346905
Modified: httpd/httpd/branches/2.4.x/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/CHANGES?rev=1356887&r1=1356886&r2=1356887&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/CHANGES [utf-8] (original)
+++ httpd/httpd/branches/2.4.x/CHANGES [utf-8] Tue Jul 3 19:41:32 2012
@@ -3,6 +3,9 @@
Changes with Apache 2.4.3
+ *) htdbm, htpasswd: Don't crash if crypt() fails (e.g. with FIPS enabled).
+ [Paul Wouters <pwouters redhat.com>, Joe Orton]
+
*) core: Use a TLS 1.0 close_notify alert for internal dummy connection if
the chosen listener is configured for https. [Joe Orton]
Modified: httpd/httpd/branches/2.4.x/STATUS
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/STATUS?rev=1356887&r1=1356886&r2=1356887&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/STATUS (original)
+++ httpd/httpd/branches/2.4.x/STATUS Tue Jul 3 19:41:32 2012
@@ -88,11 +88,6 @@ RELEASE SHOWSTOPPERS:
PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
[ start all new proposals below, under PATCHES PROPOSED. ]
- * htdbm/htpasswd: fix handling of crypt() failures.
- trunk patch: http://svn.apache.org/viewvc?rev=1346905&view=rev
- 2.4.x patch: trunk patch (ex CHANGES) works
- +1: jorton, covener, sf
-
* mod_negotiation: CVE-2012-2687 XSS in mod_negotiation
trunk patch: http://svn.apache.org/viewvc?view=revision&revision=1349905
2.4.x patch: trunk works
Modified: httpd/httpd/branches/2.4.x/support/htdbm.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/support/htdbm.c?rev=1356887&r1=1356886&r2=1356887&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/support/htdbm.c (original)
+++ httpd/httpd/branches/2.4.x/support/htdbm.c Tue Jul 3 19:41:32 2012
@@ -288,6 +288,9 @@ static apr_status_t htdbm_make(htdbm_t *
{
char cpw[MAX_STRING_LEN];
char salt[9];
+#if (!(defined(WIN32) || defined(NETWARE)))
+ char *cbuf;
+#endif
switch (htdbm->alg) {
case ALG_APSHA:
@@ -315,7 +318,15 @@ static apr_status_t htdbm_make(htdbm_t *
(void) srand((int) time((time_t *) NULL));
to64(&salt[0], rand(), 8);
salt[8] = '\0';
- apr_cpystrn(cpw, crypt(htdbm->userpass, salt), sizeof(cpw) - 1);
+ cbuf = crypt(htdbm->userpass, salt);
+ if (cbuf == NULL) {
+ char errbuf[128];
+
+ fprintf(stderr, "crypt() failed: %s\n",
+ apr_strerror(errno, errbuf, sizeof errbuf));
+ exit(ERR_PWMISMATCH);
+ }
+ apr_cpystrn(cpw, cbuf, sizeof(cpw) - 1);
fprintf(stderr, "CRYPT is now deprecated, use MD5 instead!\n");
#endif
default:
Modified: httpd/httpd/branches/2.4.x/support/htpasswd.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/support/htpasswd.c?rev=1356887&r1=1356886&r2=1356887&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/support/htpasswd.c (original)
+++ httpd/httpd/branches/2.4.x/support/htpasswd.c Tue Jul 3 19:41:32 2012
@@ -174,6 +174,9 @@ static int mkrecord(char *user, char *re
char pwv[MAX_STRING_LEN];
char salt[9];
apr_size_t bufsize;
+#if CRYPT_ALGO_SUPPORTED
+ char *cbuf;
+#endif
if (passwd != NULL) {
pw = passwd;
@@ -226,7 +229,16 @@ static int mkrecord(char *user, char *re
to64(&salt[0], rand(), 8);
salt[8] = '\0';
- apr_cpystrn(cpw, crypt(pw, salt), sizeof(cpw) - 1);
+ cbuf = crypt(pw, salt);
+ if (cbuf == NULL) {
+ char errbuf[128];
+
+ apr_snprintf(record, rlen-1, "crypt() failed: %s",
+ apr_strerror(errno, errbuf, sizeof errbuf));
+ return ERR_PWMISMATCH;
+ }
+
+ apr_cpystrn(cpw, cbuf, sizeof(cpw) - 1);
if (strlen(pw) > 8) {
char *truncpw = strdup(pw);
truncpw[8] = '\0';