BUG/MEDIUM: config: userlists should ensure that encrypted passwords are supported
When an unknown encryption algorithm is used in userlists or the password is
not pasted correctly in the configuration, http authentication silently fails.
An initial check is now performed during the configuration parsing, in order to
verify that the encrypted password is supported. An unsupported password will
fail with a fatal error.
This patch should be backported to 1.4 and 1.5.
diff --git a/src/cfgparse.c b/src/cfgparse.c
index 42c1790..2519e84 100644
--- a/src/cfgparse.c
+++ b/src/cfgparse.c
@@ -10,6 +10,16 @@
*
*/
+#ifdef CONFIG_HAP_CRYPT
+/* This is to have crypt() defined on Linux */
+#define _GNU_SOURCE
+
+#ifdef NEED_CRYPT_H
+/* some platforms such as Solaris need this */
+#include <crypt.h>
+#endif
+#endif /* CONFIG_HAP_CRYPT */
+
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
@@ -5741,7 +5751,14 @@
while (*args[cur_arg]) {
if (!strcmp(args[cur_arg], "password")) {
-#ifndef CONFIG_HAP_CRYPT
+#ifdef CONFIG_HAP_CRYPT
+ if (!crypt("", args[cur_arg + 1])) {
+ Alert("parsing [%s:%d]: the encrypted password used for user '%s' is not supported by crypt(3).\n",
+ file, linenum, newuser->user);
+ err_code |= ERR_ALERT | ERR_FATAL;
+ goto out;
+ }
+#else
Warning("parsing [%s:%d]: no crypt(3) support compiled, encrypted passwords will not work.\n",
file, linenum);
err_code |= ERR_ALERT;