Package: libapache2-mod-auth-mysql
Version: 4.3.9
According to the docs, the purpose of 'Auth_MySQL_Empty_Passwords' is
"Whether or not to allow empty passwords. If the password field is empty
(equals to '') and ... this [option] is 'off', [users] would be denied
access."
At present, this is not what happens; users with a blank password field in
the user database ARE in fact allowed to authenticate if they provide a
blank password when prompted. Admittedly, one's password management
system should probably prevent blank passwords from being stored in the
first place, but this option would provide a useful final sanity check on
the database to make sure that users cannot be trivially authenticated to
an ostensibly password-protected site. I don't see that the behavior as
it stands now is particularly desirable, at any rate -- if you wanted it,
why not just set 'Auth_MySQL_Empty_Passwords' to 'On'?
I've observed this behavior under Apache 2.0.54, when specifying either
'Crypt' or 'Plaintext' for 'Auth_MySQL_Encryption_Types'; I haven't tried
any others. I'm running Debian 3.1.
A patch which corrects this behavior follows:
--- mod_auth_mysql.c 2006-09-01 17:50:29.000000000 -0400
+++ mod_auth_mysql.c 2006-09-01 17:54:37.000000000 -0400
@@ -1287,11 +1287,16 @@
encryption_type_entry *ete;
/* empty password support */
- if (sec->allow_empty_passwords && !strlen(hashed)) {
- APACHELOG(APLOG_INFO, r, "User successful on empty password");
- return 1;
+ if (!strlen(hashed)) {
+ if (sec->allow_empty_passwords) {
+ APACHELOG(APLOG_INFO, r, "User successful on empty
password");
+ return 1;
+ } else {
+ APACHELOG(APLOG_INFO, r, "Rejecting login because of empty
password field in DB");
+ return 0;
+ }
}
-
+
for (ete=supported_encryption_types; ete->name; ete++) {
if (sec->encryption_types & ete->flag) {
APACHELOG(APLOG_DEBUG, r,
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
