Package: libapache2-mod-auth-mysql Version: 4.3.9-11 I noticed in Lenny (at least with 'Auth_MySQL_Encryption_Types Crypt'), that setting 'Auth_MySQL_Empty_Passwords Off' doesn't prevent to log with an empty password. The previously proposed patch, joined, fix the issue.
Cheers, David
#! /bin/sh /usr/share/dpatch/dpatch-run
## 014-fixing_Auth_MySQL_Empty_Passwords.dpatch by <taf...@lapin64.tilapin.org>
##
## All lines beginning with `## DP:' are a description of the patch.
## DP: No description.
@DPATCH@
diff -urNad mod-auth-mysql-4.3.9~/mod_auth_mysql.c
mod-auth-mysql-4.3.9/mod_auth_mysql.c
--- mod-auth-mysql-4.3.9~/mod_auth_mysql.c 2009-12-08 22:53:04.000000000
-0400
+++ mod-auth-mysql-4.3.9/mod_auth_mysql.c 2009-12-08 22:55:11.000000000
-0400
@@ -1287,10 +1287,16 @@
encryption_type_entry *ete;
/* empty password support */
- if (sec->allow_empty_passwords && !strlen(hashed)) {
- APACHELOG(APLOG_INFO, r, "User successful on empty password");
- return 1;
- }
+ if (!strlen(hashed)) {
+ if (sec->allow_empty_passwords) {
+ APACHELOG(APLOG_INFO, r, "User successful on empty
password");
+ return 1;
+ } else {
+ APACHELOG(APLOG_INFO, r, "Rejecting login because of
empty password field in DB");
+ return 0;
+ }
+ }
+
for (ete=supported_encryption_types; ete->name; ete++) {
if (sec->encryption_types & ete->flag) {
signature.asc
Description: OpenPGP digital signature
