Item1780: Under Windows using sha1 passwords new registrations create non working password

Priority: Urgent
Current State: Closed
Released In: 1.0.7
Target Release: patch
Applies To: Engine
Reported By: KennethLavrsen
Waiting For:
Last Change By: KennethLavrsen
Some change to the way sha1 passwords are encoded was added in one of the CSRF feature checkins and it seems this code has not been tested enough.

The consequence is that under 1.0.6 new users in a Windows native installation will not be able to login in. They will get password mismatch.

The problem is that the code was simplified but then simpler code requires that you manually suffix the encrypted string by a '='. The documentation actually says that.

This is a critical error that means I have to release a 1.0.7 within a few days.


You can easily edit a file by hand. It is one code line that needs to change.

Below is the patch

--- branches/Release01x00/core/lib/Foswiki/Users/   2009-06-30 21:47:43 UTC (rev 4331)
+++ branches/Release01x00/core/lib/Foswiki/Users/   2009-06-30 22:47:26 UTC (rev 4332)
@@ -167,7 +167,7 @@
     if ( $Foswiki::cfg{Htpasswd}{Encoding} eq 'sha1' ) {
         my $encodedPassword =
-          '{SHA}' . Digest::SHA::sha1_base64($passwd);
+          '{SHA}' . Digest::SHA::sha1_base64($passwd) . '=';
         # don't use chomp, it relies on $/
         $encodedPassword =~ s/\s+$//;

So all you need to do is go to lib/Foswiki/Users/

Find the line

'{SHA}' . Digest::SHA::sha1_base64($passwd);

and change it to

'{SHA}' . Digest::SHA::sha1_base64($passwd) . '=';

Already registered users with the problem are easy to fix.

Look in the data/.htpasswd file for any entries where there the characters before the email address are not =: and add the missing =

-- KennethLavrsen - 30 Jun 2009

ItemTemplate edit

Summary Under Windows using sha1 passwords new registrations create non working password
ReportedBy KennethLavrsen
Codebase 1.0.6
SVN Range Foswiki-1.0.0, Thu, 08 Jan 2009, build 1878
AppliesTo Engine
Priority Urgent
CurrentState Closed
Checkins distro:661ef6575a40 distro:5c11de965f18
TargetRelease patch
ReleasedIn 1.0.7
Topic revision: r5 - 20 Sep 2009, KennethLavrsen
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License    Legal Imprint    Privacy Policy