> I beg your pardon, gentlemen. Would you be so kind to decide first
> between yourself whether this is a bug or not? According to Ryan it's
> not a bug, according to your comment above, Bill, it is.
I think there is a bug lurking around, at least someplace.
while I've been up most of the night, so I might not be thinking clearly, it
seems as though if someone were to move a unix-generated crypt .htpasswd
file to win32, mod_auth's call to apr_password_validate would end up simply
comparing the two values for equality. meaning that passing the actual hash
as cleartext would succeed. at least that's what I see when I boil down the
logic.
APU_DECLARE(apr_status_t) apr_password_validate(const char *passwd,
const char *hash)
{
...
else {
/*
* It's not our algorithm, so feed it to crypt() if possible.
*/
#if defined(WIN32) || defined(BEOS) || defined(NETWARE)
apr_cpystrn(sample, passwd, sizeof(sample) - 1);
...
return (strcmp(sample, hash) == 0) ? APR_SUCCESS : APR_EMISMATCH;
}
--Geoff
