Item5957: htdigest format password file gets stomped on password or email change/reset

I've been migrating from Trac to TWiki the last week. We use a common shared password file with our Trac and our subversion repository, which is based on apache's htdigest format. TWiki seems to support the digest passwords just fine (select "md5" as the password format) however it only writes htpasswd format file. A simple patch to HtPasswdUser.pm allows it to write the proper htdigest format when md5 format is selected. Further, without this patch, TWiki treats the MD5 hash of the password as an email address.

I have tested this patch to TWiki 4.2.2 for password reset, password change, and email change and email sending, and it seems to do the right thing.

-- TWiki:Main/VivekKhera - 25 Aug 2008

Here's the patch:

--- HtPasswdUser.pm-dist   2008-08-10 10:54:19.000000000 -0400
+++ HtPasswdUser.pm   2008-08-22 23:12:01.000000000 -0400
@@ -119,10 +119,17 @@
       throw Error::Simple( $TWiki::cfg{Htpasswd}{FileName}.' open failed: '.$! );
     my $line = '';
     while (defined ($line =<IN_FILE>) ) {
-        if( $line =~ /^(.*?):(.*?)(?::(.*))?$/ ) {      
-            $data->{$1}->{pass} = $2;
-            $data->{$1}->{emails} = $3 || '';
-        }
+   if ( $TWiki::cfg{Htpasswd}{Encoding} eq 'md5' ) { # htdigest format
+          if( $line =~ /^(.*?):(.*?):(.*?)(?::(.*))?$/ ) {
+              $data->{$1}->{pass} = $3;
+              $data->{$1}->{emails} = $4 || '';
+          }
+   } else { # htpasswd format
+          if( $line =~ /^(.*?):(.*?)(?::(.*))?$/ ) {
+              $data->{$1}->{pass} = $2;
+              $data->{$1}->{emails} = $3 || '';
+          }
+   }
     }
     close( IN_FILE );
     $this->{passworddata} = $data;
@@ -133,7 +140,11 @@
     my $db = shift;
     my $s = '';
     foreach ( sort keys %$db ) {
-        $s .= $_.':'.$db->{$_}->{pass}.':'.$db->{$_}->{emails}."\n";
+   if ( $TWiki::cfg{Htpasswd}{Encoding} eq 'md5' ) { # htdigest format
+          $s .= $_.':'.$TWiki::cfg{AuthRealm}.':'.$db->{$_}->{pass}.':'.$db->{$_}->{emails}."\n";
+   } else { # htpasswd format
+          $s .= $_.':'.$db->{$_}->{pass}.':'.$db->{$_}->{emails}."\n";
+   }
     }
     return $s;
 }

-- TWiki:Main.VivekKhera - 25 Aug 2008

• twiki.digest.patch: Patch to HtPasswdUser.pm

Can some of the core developers review this patch please

Release meeting topic

-- TWiki:Main.KennethLavrsen - 18 Sep 2008

Scary. reading the htpasswd man page : htpasswd encrypts passwords using either a version of MD5 modified for Apache, or the system’s crypt() routine. Files managed by htpasswd may contain both types of passwords; some user records may have MD5-encrypted passwords while others in the same file may have passwords encrypted with crypt()

and yet, we've been encoding md5 using realm - as though for htdigest, but as the patch above shows, writing out in the wrong form.

commiting.

-- TWiki:Main.SvenDowideit - 05 Oct 2008

Thanks TWiki:Main.VivekKhera for providing the Patch - i have verified this with a few test TWiki instances-works great. Thanks SvenDowideit for checkin.

-- SopanShewale - 26 Nov 2008

Closing After Release 4.2.4

-- TWIKI:Main.SopanShewale - 11 Dec 2008