From mboxrd@z Thu Jan  1 00:00:00 1970
From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject:
 Re: [PATCH] proxy.cgi: Switch to MD5 hashed passwords for local user auth.
Date: Fri, 07 Feb 2020 11:33:42 +0000
Message-ID: <21B578ED-0778-4FE7-8B8D-654F88CFC1EA@ipfire.org>
In-Reply-To: <20200207110640.5264-1-stefan.schantl@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============6665465302802206999=="
List-Id: <development.lists.ipfire.org>

--===============6665465302802206999==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Ah yes, it is great to finally deploy MD5 in 2020.

Luckily this doesn=E2=80=99t matter because the passwords are being sent in p=
lain text over an unencrypted channel.

Reviewed-by: Michael Tremer <michael.tremer(a)ipfire.org>

> On 7 Feb 2020, at 11:06, Stefan Schantl <stefan.schantl(a)ipfire.org> wrote:
>=20
> The former used default Crypt algorithmus only supports passwords up to
> eight signs wheater MD5 does not have any limitation here.
>=20
> Fixes 12290.
>=20
> Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
> ---
> html/cgi-bin/proxy.cgi | 8 +++++++-
> 1 file changed, 7 insertions(+), 1 deletion(-)
>=20
> diff --git a/html/cgi-bin/proxy.cgi b/html/cgi-bin/proxy.cgi
> index b63964081..06aca579b 100644
> --- a/html/cgi-bin/proxy.cgi
> +++ b/html/cgi-bin/proxy.cgi
> @@ -3945,7 +3945,13 @@ sub adduser
> 	} else {
> 		&deluser($str_user);
>=20
> -		my $htpasswd =3D new Apache::Htpasswd("$userdb");
> +		my %htpasswd_options =3D (
> +			passwdFile =3D> "$userdb",
> +			UseMD5 =3D> 1,
> +		);
> +
> +		my $htpasswd =3D new Apache::Htpasswd(\%htpasswd_options);
> +
> 		$htpasswd->htpasswd($str_user, $str_pass);
> 	}
>=20
> --=20
> 2.25.0
>=20


--===============6665465302802206999==--