Mailing List Archive: Cherokee: dev

Issue 593 in cherokee: Segmentation fault in validator_htpasswd

Index | Next | Previous | View Threaded

codesite-noreply at google

Oct 6, 2009, 8:36 AM

Post #1 of 5 (108 views)
Permalink

Issue 593 in cherokee: Segmentation fault in validator_htpasswd

Status: WaitingQA
Owner: ste...@konink.de
Labels: Type-Defect Priority-Critical OpSys-All Component-Logic Security

New issue 593 by ste...@konink.de: Segmentation fault in validator_htpasswd
http://code.google.com/p/cherokee/issues/detail?id=593

What steps will reproduce the problem?
1. do something obscure to get an empty passwd.buf
2. request something that is coded with md5

What is the expected output? What do you see instead?
Not a segmentation fault, I would rather go to give the user an error.

Fix is attached, it is already there for the other methods.

Attachments:
mustpatch.diff 458 bytes

--
You received this message because you are listed in the owner
or CC fields of this issue, or because you starred this issue.
You may adjust your issue notification preferences at:
http://code.google.com/hosting/settings
_______________________________________________
Cherokee-dev mailing list
Cherokee-dev[at]lists.octality.com
http://lists.octality.com/listinfo/cherokee-dev

codesite-noreply at google

Oct 6, 2009, 10:53 AM

Post #2 of 5 (104 views)
Permalink

Issue 593 in cherokee: Segmentation fault in validator_htpasswd [In reply to]

Comment #1 on issue 593 by tahers: Segmentation fault in validator_htpasswd
http://code.google.com/p/cherokee/issues/detail?id=593

Good catch Stefan, as always.
I can't see any reason why this was left out, so it's commited in r3681

--
You received this message because you are listed in the owner
or CC fields of this issue, or because you starred this issue.
You may adjust your issue notification preferences at:
http://code.google.com/hosting/settings
_______________________________________________
Cherokee-dev mailing list
Cherokee-dev[at]lists.octality.com
http://lists.octality.com/listinfo/cherokee-dev

codesite-noreply at google

Oct 6, 2009, 10:58 AM

Post #3 of 5 (104 views)
Permalink

Issue 593 in cherokee: Segmentation fault in validator_htpasswd [In reply to]

Comment #2 on issue 593 by ste...@konink.de: Segmentation fault in
validator_htpasswd
http://code.google.com/p/cherokee/issues/detail?id=593

Milo did the catch, I did the patch ;)

Thanks for the commit :)

--
You received this message because you are listed in the owner
or CC fields of this issue, or because you starred this issue.
You may adjust your issue notification preferences at:
http://code.google.com/hosting/settings
_______________________________________________
Cherokee-dev mailing list
Cherokee-dev[at]lists.octality.com
http://lists.octality.com/listinfo/cherokee-dev

codesite-noreply at google

Oct 14, 2009, 10:15 AM

Post #4 of 5 (82 views)
Permalink

Issue 593 in cherokee: Segmentation fault in validator_htpasswd [In reply to]

Updates:
Status: Accepted

Comment #3 on issue 593 by ste...@konink.de: Segmentation fault in
validator_htpasswd
http://code.google.com/p/cherokee/issues/detail?id=593

See what happens if you actually pass null into it. It will never work
unless you explicitly check for it. Since the cherokee buffer routines
with len 0 will always have a null thus:

/* The password first, since that is what is most unknown */
MD5Update(&ctx, (unsigned char *)pw, strlen(pw));

...fails hard.

The only thing for fixing empty passwords would be something like:

if (pw)
MD5Update(&ctx, (unsigned char *)pw, strlen(pw));

But this would already be complete nonsense... because you actually
disgard any users that don't have a password in the file.

/* Split into user and encrypted password.
*/
cryp = strchr (line, ':');
if (cryp == NULL) continue;

Thus: revert the revert. The feature is not supported. And if supported
hence: it is in the bugtracker someone whining about it ;) You would
have to make the actual user also 'optional' ;)

/* Split into user and encrypted password.
*/
cryp = strchr (line, ':');
if (cryp != NULL)
*cryp++ = '\0';
cryp_len = strlen(cryp);

/* Is this the right user?
*/
if (strcmp (conn->validator->user.buf, line) != 0) {
continue;
}

/* Check the type of the crypted password:
* It recognizes: Apache MD5, MD5, SHA, old crypt and
plain text
*/

if (cryp == NULL) {
if (conn->validator->passwd.buf == NULL) {
ret_auth = ret_ok;
else
ret_auth = ret_error;
} else if (strncmp (cryp, "$apr1$", 6) == 0) {

Then you can remove all explicit buffer empty things too. I think this
is all one very bad idea.

--
You received this message because you are listed in the owner
or CC fields of this issue, or because you starred this issue.
You may adjust your issue notification preferences at:
http://code.google.com/hosting/settings
_______________________________________________
Cherokee-dev mailing list
Cherokee-dev[at]lists.octality.com
http://lists.octality.com/listinfo/cherokee-dev

codesite-noreply at google

Nov 15, 2009, 7:52 AM

Post #5 of 5 (31 views)
Permalink

Re: Issue 593 in cherokee: Segmentation fault in validator_htpasswd [In reply to]

Updates:
Status: Fixed
Owner: alobbs

Comment #4 on issue 593 by alobbs: Segmentation fault in validator_htpasswd
http://code.google.com/p/cherokee/issues/detail?id=593

r3817 fixed it:

http://svn.cherokee-project.com/changeset/3817

Thanks Stefan!!

--
You received this message because you are listed in the owner
or CC fields of this issue, or because you starred this issue.
You may adjust your issue notification preferences at:
http://code.google.com/hosting/settings
_______________________________________________
Cherokee-dev mailing list
Cherokee-dev[at]lists.octality.com
http://lists.octality.com/listinfo/cherokee-dev

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact lists@gossamer-threads.com