• Do not register here on develop.twiki.org, login with your twiki.org account.
• Use View topic Item7848 for generic doc work for TWiki-6.1.1. Use View topic Item7851 for doc work on extensions that are not part of a release. More... Close
• Anything you create or change in standard webs (Main, TWiki, Sandbox etc) will be automatically reverted on every SVN update.
Does this site look broken?. Use the LitterTray web for test cases.

Item5957: htdigest format password file gets stomped on password or email change/reset

Item Form Data

AppliesTo: Component: Priority: CurrentState: WaitingFor: TargetRelease ReleasedIn
Engine HtPasswdUser Urgent Closed   patch 4.2.4, 5.0.0

Edit Form Data

Summary:
Reported By:
Codebase:
Applies To:
Component:
Priority:
Current State:
Waiting For:
Target Release:
Released In:
 

Detail

I've been migrating from Trac to TWiki the last week. We use a common shared password file with our Trac and our subversion repository, which is based on apache's htdigest format. TWiki seems to support the digest passwords just fine (select "md5" as the password format) however it only writes htpasswd format file. A simple patch to HtPasswdUser.pm allows it to write the proper htdigest format when md5 format is selected. Further, without this patch, TWiki treats the MD5 hash of the password as an email address.

I have tested this patch to TWiki 4.2.2 for password reset, password change, and email change and email sending, and it seems to do the right thing.

-- TWiki:Main/VivekKhera - 25 Aug 2008

Here's the patch:

--- HtPasswdUser.pm-dist   2008-08-10 10:54:19.000000000 -0400
+++ HtPasswdUser.pm   2008-08-22 23:12:01.000000000 -0400
@@ -119,10 +119,17 @@
       throw Error::Simple( $TWiki::cfg{Htpasswd}{FileName}.' open failed: '.$! );
     my $line = '';
     while (defined ($line =<IN_FILE>) ) {
-        if( $line =~ /^(.*?):(.*?)(?::(.*))?$/ ) {      
-            $data->{$1}->{pass} = $2;
-            $data->{$1}->{emails} = $3 || '';
-        }
+   if ( $TWiki::cfg{Htpasswd}{Encoding} eq 'md5' ) { # htdigest format
+          if( $line =~ /^(.*?):(.*?):(.*?)(?::(.*))?$/ ) {
+              $data->{$1}->{pass} = $3;
+              $data->{$1}->{emails} = $4 || '';
+          }
+   } else { # htpasswd format
+          if( $line =~ /^(.*?):(.*?)(?::(.*))?$/ ) {
+              $data->{$1}->{pass} = $2;
+              $data->{$1}->{emails} = $3 || '';
+          }
+   }
     }
     close( IN_FILE );
     $this->{passworddata} = $data;
@@ -133,7 +140,11 @@
     my $db = shift;
     my $s = '';
     foreach ( sort keys %$db ) {
-        $s .= $_.':'.$db->{$_}->{pass}.':'.$db->{$_}->{emails}."\n";
+   if ( $TWiki::cfg{Htpasswd}{Encoding} eq 'md5' ) { # htdigest format
+          $s .= $_.':'.$TWiki::cfg{AuthRealm}.':'.$db->{$_}->{pass}.':'.$db->{$_}->{emails}."\n";
+   } else { # htpasswd format
+          $s .= $_.':'.$db->{$_}->{pass}.':'.$db->{$_}->{emails}."\n";
+   }
     }
     return $s;
 }

-- TWiki:Main.VivekKhera - 25 Aug 2008

Can some of the core developers review this patch please

Release meeting topic

-- TWiki:Main.KennethLavrsen - 18 Sep 2008

Scary. reading the htpasswd man page : htpasswd encrypts passwords using either a version of MD5 modified for Apache, or the systemís crypt() routine. Files managed by htpasswd may contain both types of passwords; some user records may have MD5-encrypted passwords while others in the same file may have passwords encrypted with crypt()

and yet, we've been encoding md5 using realm - as though for htdigest, but as the patch above shows, writing out in the wrong form.

commiting.

-- TWiki:Main.SvenDowideit - 05 Oct 2008

Thanks TWiki:Main.VivekKhera for providing the Patch - i have verified this with a few test TWiki instances-works great. Thanks SvenDowideit for checkin.

-- SopanShewale - 26 Nov 2008

Closing After Release 4.2.4

-- TWIKI:Main.SopanShewale - 11 Dec 2008

ItemTemplate
Summary htdigest format password file gets stomped on password or email change/reset
ReportedBy TWiki:Main.VivekKhera
Codebase 4.2.2
SVN Range

AppliesTo Engine
Component HtPasswdUser
Priority Urgent
CurrentState Closed
WaitingFor

Checkins TWikirev:17589 TWikirev:17590
TargetRelease patch
ReleasedIn 4.2.4, 5.0.0
Topic attachments
I Attachment History Action Size Date Who Comment
Unknown file formatpatch twiki.digest.patch r1 manage 1.4 K 2008-08-25 - 15:11 VivekKhera Patch to HtPasswdUser.pm
Edit | Attach | Watch | Print version | History: r8 < r7 < r6 < r5 < r4 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r8 - 2008-12-11 - SopanShewale
 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2019 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback