Foswiki on GitHub is open for business! Next release meeting: Monday September 15, 1300Z

Item5957: htdigest format password file gets stomped on password or email change/reset

Priority: CurrentState: AppliesTo: Component: WaitingFor:
Urgent Closed Engine HtPasswdUser  
I've been migrating from Trac to TWiki the last week. We use a common shared password file with our Trac and our subversion repository, which is based on apache's htdigest format. TWiki seems to support the digest passwords just fine (select "md5" as the password format) however it only writes htpasswd format file. A simple patch to HtPasswdUser.pm allows it to write the proper htdigest format when md5 format is selected. Further, without this patch, TWiki treats the MD5 hash of the password as an email address.

I have tested this patch to TWiki 4.2.2 for password reset, password change, and email change and email sending, and it seems to do the right thing.

-- TWiki:Main/VivekKhera - 25 Aug 2008

Here's the patch:
--- HtPasswdUser.pm-dist   2008-08-10 10:54:19.000000000 -0400
+++ HtPasswdUser.pm   2008-08-22 23:12:01.000000000 -0400
@@ -119,10 +119,17 @@
       throw Error::Simple( $TWiki::cfg{Htpasswd}{FileName}.' open failed: '.$! );
     my $line = '';
     while (defined ($line =<IN_FILE>) ) {
-        if( $line =~ /^(.*?):(.*?)(?::(.*))?$/ ) {      
-            $data->{$1}->{pass} = $2;
-            $data->{$1}->{emails} = $3 || '';
-        }
+   if ( $TWiki::cfg{Htpasswd}{Encoding} eq 'md5' ) { # htdigest format
+          if( $line =~ /^(.*?):(.*?):(.*?)(?::(.*))?$/ ) {
+              $data->{$1}->{pass} = $3;
+              $data->{$1}->{emails} = $4 || '';
+          }
+   } else { # htpasswd format
+          if( $line =~ /^(.*?):(.*?)(?::(.*))?$/ ) {
+              $data->{$1}->{pass} = $2;
+              $data->{$1}->{emails} = $3 || '';
+          }
+   }
     }
     close( IN_FILE );
     $this->{passworddata} = $data;
@@ -133,7 +140,11 @@
     my $db = shift;
     my $s = '';
     foreach ( sort keys %$db ) {
-        $s .= $_.':'.$db->{$_}->{pass}.':'.$db->{$_}->{emails}."\n";
+   if ( $TWiki::cfg{Htpasswd}{Encoding} eq 'md5' ) { # htdigest format
+          $s .= $_.':'.$TWiki::cfg{AuthRealm}.':'.$db->{$_}->{pass}.':'.$db->{$_}->{emails}."\n";
+   } else { # htpasswd format
+          $s .= $_.':'.$db->{$_}->{pass}.':'.$db->{$_}->{emails}."\n";
+   }
     }
     return $s;
 }

-- TWiki:Main.VivekKhera - 25 Aug 2008

Can some of the core developers review this patch please

Release meeting topic

-- TWiki:Main.KennethLavrsen - 18 Sep 2008

Scary. reading the htpasswd man page : htpasswd encrypts passwords using either a version of MD5 modified for Apache, or the systemís crypt() routine. Files managed by htpasswd may contain both types of passwords; some user records may have MD5-encrypted passwords while others in the same file may have passwords encrypted with crypt()

and yet, we've been encoding md5 using realm - as though for htdigest, but as the patch above shows, writing out in the wrong form.

commiting.

-- TWiki:Main.SvenDowideit - 05 Oct 2008

ItemTemplate edit

Summary htdigest format password file gets stomped on password or email change/reset
ReportedBy TWiki:Main.VivekKhera
Codebase
SVN Range
AppliesTo Engine
Component HtPasswdUser
Priority Urgent
CurrentState Closed
WaitingFor
Checkins TWikirev:17589 TWikirev:17590
TargetRelease patch
ReleasedIn
Topic attachments
I Attachment Action Size Date Who Comment
twiki.digest.patchpatch twiki.digest.patch manage 1.4 K 25 Aug 2008 - 15:11 UnknownUser Patch to HtPasswdUser.pm
Topic revision: r8 - 08 Jan 2009, KwangErnLiew
 
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. see CopyrightStatement. Creative Commons License