Feature #610: Extending htpasswd to ease migration of existing applications - Lighttpd - lighty labs

Actions

Copy link

Feature #610

closed

Extending htpasswd to ease migration of existing applications

Added by Anonymous about 18 years ago. Updated over 15 years ago.

Status:

Wontfix

Priority:

Normal

Category:

mod_auth

Target version:

ASK QUESTIONS IN Forums:

Description

Some boneheaded applications (i.e. Twiki) create htpasswd files in the form:


UserName:crypted_password:email_address

Because apache supports this format (even though it isn't strictly htpasswd), existing applications tend to use it. In order to ease migration away from apache, it would be best if lighttpd could support this extension as well.

The patch is below with ample comments. It deserves mention again that the crypted password, in my experience, is only 13 characters long.


--- http_auth.c.old    2006-03-31 19:13:21.000000000 -0500
+++ http_auth.c    2006-04-07 16:25:08.000000000 -0400
@@ -233,7 +233,7 @@
         f_line = f.start;

         while (f_line - f.start != f.size) {
-            char *f_user, *f_pwd, *e;
+            char *f_user, *f_pwd, *e, *m;
             size_t u_len, pwd_len;

             f_user = f_line;
@@ -242,6 +242,17 @@
              * htpasswd format
              * 
              * user:crypted passwd
+             *
+             * NOTE: Some applications generate htpasswd files in the format:
+             *         user:crypted_password:email. Apache supports this and
+             *         lighttpd does not, which makes migration more difficult
+             *
+             * From the apache manpage:
+             *        The MD5 algorithm used by htpasswd is specific to the Apache
+             *        software; passwords encrypted using it will not be usable
+             *        with other Web servers.
+             *
+             * Good thing I don't read manpages. Thomas Dodson tomd@uky.edu
              */

             if (NULL == (f_pwd = memchr(f_user, ':', f.size - (f_user - f.start) ))) {
@@ -258,11 +269,37 @@
             u_len = f_pwd - f_user; 
             f_pwd++;

+            /* I'm relatively certain that crypted passwords are legnth 13.
+             * This is based not only on my experience, but also various 
+             * htpasswd generators.
+             * If this is, in fact, true, which most likely won't be resolved
+             * without exploring the htpasswd utility source, then this block 
+             * can be uncommented. It's much faster, it it does, in fact, work.
+
+            pwd_len = 13;
+            e = memchr(f_pwd, '\n', f.size - (f_pwd - f.start));
+
+             */
+
             if (NULL != (e = memchr(f_pwd, '\n', f.size - (f_pwd - f.start)))) {
-                pwd_len = e - f_pwd;
+                if (NULL != (m = memchr(f_pwd, ':', e - f_pwd))) {
+                    /* if there is a colon before the end of the line */
+                    pwd_len = m - f_pwd;
+                } else {
+                    pwd_len = e - f_pwd;
+                }
             } else {
-                pwd_len = f.size - (f_pwd - f.start);
+                if (NULL != (m = memchr(f_pwd, ':', f.size - (f_pwd - f.start)))) {
+                    pwd_len = m - f_pwd;
+                } else {
+                    pwd_len = f.size - (f_pwd - f.start);
+                }
             }
+
+            /* Assertions: pwd_len is the length of the password.
+             *               f_pwd points to the beginning of the password.
+             *               e points to the end of the line.
+             */

             if (username->used - 1 == u_len &&
                 (0 == strncmp(username->ptr, f_user, u_len))) {

-- Thomas Dodson <tomd