proxy.cgi: Switch to MD5 hashed passwords for local user auth.
Commit Message
The former used default Crypt algorithmus only supports passwords up to
eight signs wheater MD5 does not have any limitation here.
Fixes 12290.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
---
html/cgi-bin/proxy.cgi | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
Comments
Ah yes, it is great to finally deploy MD5 in 2020.
Luckily this doesn’t matter because the passwords are being sent in plain text over an unencrypted channel.
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
> On 7 Feb 2020, at 11:06, Stefan Schantl <stefan.schantl@ipfire.org> wrote:
>
> The former used default Crypt algorithmus only supports passwords up to
> eight signs wheater MD5 does not have any limitation here.
>
> Fixes 12290.
>
> Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
> ---
> html/cgi-bin/proxy.cgi | 8 +++++++-
> 1 file changed, 7 insertions(+), 1 deletion(-)
>
> diff --git a/html/cgi-bin/proxy.cgi b/html/cgi-bin/proxy.cgi
> index b63964081..06aca579b 100644
> --- a/html/cgi-bin/proxy.cgi
> +++ b/html/cgi-bin/proxy.cgi
> @@ -3945,7 +3945,13 @@ sub adduser
> } else {
> &deluser($str_user);
>
> - my $htpasswd = new Apache::Htpasswd("$userdb");
> + my %htpasswd_options = (
> + passwdFile => "$userdb",
> + UseMD5 => 1,
> + );
> +
> + my $htpasswd = new Apache::Htpasswd(\%htpasswd_options);
> +
> $htpasswd->htpasswd($str_user, $str_pass);
> }
>
> --
> 2.25.0
>
@@ -3945,7 +3945,13 @@ sub adduser
} else {
&deluser($str_user);
- my $htpasswd = new Apache::Htpasswd("$userdb");
+ my %htpasswd_options = (
+ passwdFile => "$userdb",
+ UseMD5 => 1,
+ );
+
+ my $htpasswd = new Apache::Htpasswd(\%htpasswd_options);
+
$htpasswd->htpasswd($str_user, $str_pass);
}