You are viewing a plain text version of this content. The canonical link for it is here.
Posted to apache-bugdb@apache.org by "Stanislaw Y.Pusep" <st...@nettaxi.com> on 1999/04/21 22:28:16 UTC

mod_auth-any/4287: Windows can't use this module!

>Number:         4287
>Category:       mod_auth-any
>Synopsis:       Windows can't use this module!
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    apache
>State:          open
>Class:          mistaken
>Submitter-Id:   apache
>Arrival-Date:   Wed Apr 21 13:30:01 PDT 1999
>Last-Modified:
>Originator:     stas@nettaxi.com
>Organization:
apache
>Release:        1.3.6
>Environment:
Windows 98
>Description:
Windows have no crypt() function. Older (< 1.3.5) Apache servers _IGNORED_
password encryption, so, if a password file line was:
"admin:haqoJZBx9Q1w2"
, Windows version used "haqoJZBx9Q1w2" as READY, NOT ENCRYPTED password. So,
all my password file lines looked like:
"admin:d4mnimg00d"
. Now, someone ripped out this nice Windows mistake, and my error log is full
of these lines:
"[Mon Apr 19 15:18:53 1999] [error] [client 200.210.11.39] user admin: authentication failure for "/server-status": crypt() unavailable on Win32, cannot validate password"
>How-To-Repeat:
Try to run Apache on Windows system :)
>Fix:
Yes. I'm a very bad C programmer, but I think you'll understeand me.
Well, the file to be patched is "[apache_dir]/src/ap/ap_md5c.c".
Line 603. What we have here?
/* START CODE */
#ifdef WIN32
	return "crypt() unavailable on Win32, cannot validate password";
#else
	crypt_pw = crypt(passwd, hash);
	ap_cpystrn(sample, crypt_pw, sizeof(sample) - 1);
#endif
    }
    return (strcmp(sample, hash) == 0) ? NULL : "password mismatch";
}
/* END CODE */

All right... Now, patched version:
/* START CODE */
#ifdef WIN32
	ap_cpystrn(sample, password, sizeof(sample) - 1);
#else
	crypt_pw = crypt(passwd, hash);
	ap_cpystrn(sample, crypt_pw, sizeof(sample) - 1);
#endif
    }
    return (strcmp(sample, hash) == 0) ? NULL : "password mismatch";
}
/* END CODE */

I think, this wouldn't work, but, I hope, you understood my idea!
>Audit-Trail:
>Unformatted:
[In order for any reply to be added to the PR database, ]
[you need to include <ap...@Apache.Org> in the Cc line ]
[and leave the subject line UNCHANGED.  This is not done]
[automatically because of the potential for mail loops. ]
[If you do not include this Cc, your reply may be ig-   ]
[nored unless you are responding to an explicit request ]
[from a developer.                                      ]
[Reply only with text; DO NOT SEND ATTACHMENTS!         ]