proxy.cgi: Switch to MD5 hashed passwords for local user auth.

Message ID 20200207110640.5264-1-stefan.schantl@ipfire.org
State Accepted
Commit 77ea7462bcc134b6147dd985abdd4e2311487515
Headers
Series proxy.cgi: Switch to MD5 hashed passwords for local user auth. |

Commit Message

Stefan Schantl Feb. 7, 2020, 11:06 a.m. UTC
  The former used default Crypt algorithmus only supports passwords up to
eight signs wheater MD5 does not have any limitation here.

Fixes 12290.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
---
 html/cgi-bin/proxy.cgi | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)
  

Comments

Michael Tremer Feb. 7, 2020, 11:33 a.m. UTC | #1
Ah yes, it is great to finally deploy MD5 in 2020.

Luckily this doesn’t matter because the passwords are being sent in plain text over an unencrypted channel.

Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>

> On 7 Feb 2020, at 11:06, Stefan Schantl <stefan.schantl@ipfire.org> wrote:
> 
> The former used default Crypt algorithmus only supports passwords up to
> eight signs wheater MD5 does not have any limitation here.
> 
> Fixes 12290.
> 
> Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
> ---
> html/cgi-bin/proxy.cgi | 8 +++++++-
> 1 file changed, 7 insertions(+), 1 deletion(-)
> 
> diff --git a/html/cgi-bin/proxy.cgi b/html/cgi-bin/proxy.cgi
> index b63964081..06aca579b 100644
> --- a/html/cgi-bin/proxy.cgi
> +++ b/html/cgi-bin/proxy.cgi
> @@ -3945,7 +3945,13 @@ sub adduser
> 	} else {
> 		&deluser($str_user);
> 
> -		my $htpasswd = new Apache::Htpasswd("$userdb");
> +		my %htpasswd_options = (
> +			passwdFile => "$userdb",
> +			UseMD5 => 1,
> +		);
> +
> +		my $htpasswd = new Apache::Htpasswd(\%htpasswd_options);
> +
> 		$htpasswd->htpasswd($str_user, $str_pass);
> 	}
> 
> -- 
> 2.25.0
>
  

Patch

diff --git a/html/cgi-bin/proxy.cgi b/html/cgi-bin/proxy.cgi
index b63964081..06aca579b 100644
--- a/html/cgi-bin/proxy.cgi
+++ b/html/cgi-bin/proxy.cgi
@@ -3945,7 +3945,13 @@  sub adduser
 	} else {
 		&deluser($str_user);
 
-		my $htpasswd = new Apache::Htpasswd("$userdb");
+		my %htpasswd_options = (
+			passwdFile => "$userdb",
+			UseMD5 => 1,
+		);
+
+		my $htpasswd = new Apache::Htpasswd(\%htpasswd_options);
+
 		$htpasswd->htpasswd($str_user, $str_pass);
 	}