Mailing List Archive

Comment fields in htpasswd
I am not quite sure if this was what that bug-report was after;
I cannot find it in my bin anymore; but this is what we used
to run here when the tcl/tk tools from CERN where still in
use. Should be quite safe to add; I really cannot imagine
any system crypt allowing colons in the passwd.

But although this would work for mod_auth.c; one would need
to do mod_auth_dmb/sql/... as well.

If this is considered good; I'll do that; i.e update the
docs and those three modules too.

Any ideas ? Anyone ?

Dw.



Index: mod_auth.c
===================================================================
RCS file: /home/cvs/apache/src/mod_auth.c,v
retrieving revision 1.1.1.2
diff -c -3 -r1.1.1.2 mod_auth.c
*** mod_auth.c 1997/01/03 17:15:09 1.1.1.2
--- mod_auth.c 1997/01/03 17:33:45
***************
*** 125,132 ****
if((l[0] == '#') || (!l[0])) continue;
rpw = l;
w = getword(r->pool, &rpw, ':');
!
! if(!strcmp(user,w)) {
pfclose(r->pool, f);
return pstrdup (r->pool, rpw);
}
--- 125,153 ----
if((l[0] == '#') || (!l[0])) continue;
rpw = l;
w = getword(r->pool, &rpw, ':');
!
! #ifndef COLONS_IN_HTPASSWD
! /* Most passwd(5) like files allow for (extra) colon
! * separated fields; and most crypt() functions on most
! * platforms use a base64 kind of encoding; which ensures
! * there are no colons in the password itself; hence
! * the next little shortcut; which allows seasoned admins
! * to make use of extra fields for their own purposes..
! *
! * dirkx:agf87346ask: That guy in building 27
! * smith:3247hjdaskd: For the the ISIS project; on ext 9549
! *
! * As a little aside; you can then also use the nice
! * CERN-httpd tcl/tk tools which do a userid:passwd:expirydate
! * kind of lines.
! *
! */
! { int pos=ind(rpw,':');
! if (pos >=0)
! rpw[pos]='\0'; /* just zap the rest of the line;
! * we are in pool space anyway. But
! * this might make other modules unhappy
! * if they need that third/extra field
! */
! }
! #endif
! if(!strcmp(user,w)) {
pfclose(r->pool, f);
return pstrdup (r->pool, rpw);
}
dirkx.twirke:src $
Re: Comment fields in htpasswd [ In reply to ]
> Should be quite safe to add; I really cannot imagine
> any system crypt allowing colons in the passwd.
>
> But although this would work for mod_auth.c; one would need
> to do mod_auth_dmb/sql/... as well.

Yes, this has always been allowed in mod_auth_dbm (since I wrote the stuff
to piggy-back a group list into the same auth file*). I'm sure I did a
patch for the .htpasswd files ignoring things after :'s in 1995 (back in
the days when we used to have patch files with names like E90!), we
certainly ran that patch on telescope.org until we switched to DBM's.

+1 on mod_auth ignoring anything after the second colon as default.

Mark@ukweb

* the idea was to allow people to store the password and group info in
one DBM file with the format user:password:comma list of groups:ignored
The user file if used on its own can have user:password:ignored but
the group file has to be either user:groups or user::groups:ignored
Re: Comment fields in htpasswd [ In reply to ]
Re: Comment fields in htpasswd [ In reply to ]
Mark J Cox <mark@ukweb.com> writes:

> > Should be quite safe to add; I really cannot imagine
> > any system crypt allowing colons in the passwd.

I missed the beginning of this thread? Who says you can't pass colons
to crypt? Crypt can encrypt arbitrary files, it's got zilch to do with
passwords. Colons may not be allowed in passwords but that has nothing
to do with crypt. Since I don't know the context of this I don't know
why this would be an issue.

--
Paul Richards. Originative Solutions Ltd. (Netcraft Ltd. contractor)
Elsevier Science TIS online journal project.
Email: p.richards@elsevier.co.uk
Phone: 0370 462071 (Mobile), +44 (0)1865 843155