On Thursday 13 November 2008 16:52, xor wrote:
>
> > > String pass = request.getParam("formPassword");
> > > - if (pass == null || (pass.length() ==
> > 0) || !pass.equals(pr.getNode().clientCore.formPassword))
> > > - return Errors.makeErrorPage(this, "Buh!
> > Invalid form password");
> > > + if(pass != null) { /* FIXME: is this
> > correct? what if the client just
> > does not specify the password so that its null? */
> > > + if ((pass.length() ==
> > 0) || !pass.equals(pr.getNode().clientCore.formPassword))
> > > + return
> > Errors.makeErrorPage(this, "Buh! Invalid form password");
> > > + }
> >
> > What was wrong with the old code? The new code definitely
> > lets the client through if they don't specify a password.
> > >
> > > String page =
> > request.getPath().substring(PLUGIN_URI.length());
> > > if ((page.length() < 1) || ("/".equals(page)))
> >
>
> The old code was actually new code. It was (pass != null) before,
> I wondered how this is supposed to password protect, but then when
> changing it to the code which looks like old code in this patch, it
> always said "Invalid form password" so I changed it back to
> (pass != null).
Well, if the password is null, it's not specified, so you should still error
out.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 827 bytes
Desc: not available
URL:
<https://emu.freenetproject.org/pipermail/devl/attachments/20081113/3dea9587/attachment.pgp>
