Skip Menu | You are currently an anonymous guest. | Login | Return to Main | About rt.cpan.org
 

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.

X Report information
X The Basics
Id: 31003
Status: stalled
Left: 0 min
Priority: 0/0
Queue: Apache-DBI
X People
Owner: PGOLLUCCI <pgollucci [...] p6m7g8.com>
Requestors: diafour [...] gmail.com
Cc:
AdminCc:
X Bug Information
Severity: Normal
Broken in: 1.06
Fixed in: (no value)

X History Display mode: Brief headersFull headers
#   Tue Nov 27 09:09:31 2007 http://diafour.livejournal.com/ - Ticket created  
[text/plain 515b]
I used "Auth_DBI_nopasswd on" and empty password in DB. But in 1.06 i got this in Apache logs: "[Tue Nov 27 14:14:50 2007] [error] access to / failed for xxx.xxx.xxx.xxx, reason: 30095 Apache::AuthDBI::authen user USERNAME: empty password(s) rejected".

The reason was line number 396 in Apache/AuthDBI.pm:
-unless($passwd) {
+unless(defined $passwd) {

This clause like it was in version 0.93 :
314 if (!defined($passwd)) { # not found in database

I use:
Perl v5.8.8 built for i686-linux
Apache::AuthDBI 1.06
#   Fri May 09 18:39:45 2008 PGOLLUCCI - Correspondence added  
From: pgollucci[...]p6m7g8.com
[text/plain 749b]
On Tue Nov 27 09:09:31 2007, http://diafour.livejournal.com/ wrote:
> I used "Auth_DBI_nopasswd on" and empty password in DB. But in 1.06 i
> got this in Apache logs: "[Tue Nov 27 14:14:50 2007] [error] access
> to / failed for xxx.xxx.xxx.xxx, reason: 30095
> Apache::AuthDBI::authen user USERNAME: empty password(s) rejected".
>
> The reason was line number 396 in Apache/AuthDBI.pm:
> -unless($passwd) {
> +unless(defined $passwd) {
>
> This clause like it was in version 0.93 :
> 314 if (!defined($passwd)) { # not found in database
>
> I use:
> Perl v5.8.8 built for i686-linux
> Apache::AuthDBI 1.06

There are other changes for why this is neccessary. I can not revert
this. Why do you really want a blank password anyway?
#   Fri May 09 18:39:48 2008 RT_System - Status changed from 'new' to 'open'  
#   Sat May 10 12:55:20 2008 http://diafour.livejournal.com/ - Correspondence added  
[text/plain 1k]
>
> There are other changes for why this is neccessary. I can not revert
> this. Why do you really want a blank password anyway?
>
I use this approach in a trusted system. The username is entered with a
barcode scanner that acts like a keyboard - it sends
"barcode_string<Enter>" to a browser. We are not using custom script to
authenticate because Apache::AuthDBI was used as authentication system
before "blank passwords" era =)


Description from man Apache::AuthDBI:
"If the nopasswd directive is set to 'on', any password is accepted."

Here is a block that separate blank password and absent user:
AuthDBI.pm 1.06
381:
# so we can distinguish later on between no password and empty password
undef $passwd if 0 == $cnt;
I suppose !defined($passwd) - absent user (or no password) and $passwd
eq '' - blank password.
But "unless($passwd){" block do not distinguish blank passwords and
absent user and "Auth_DBI_nopasswd" become useless.
May be AuthDBI should provide magic password string ("<EMPTY>" or
similar) to guarantee distinguish between no password and blank password?
#   Sat May 10 16:57:12 2008 PGOLLUCCI - Correspondence added  
Subject: Re: [rt.cpan.org #31003]
Date: Sat, 10 May 2008 16:56:35 -0400
To: bug-Apache-DBI[...]rt.cpan.org
From: "Philip M. Gollucci" <pgollucci[...]p6m7g8.com>
[text/plain 471b]
http://diafour.livejournal.com/ via RT wrote:
>> There are other changes for why this is neccessary. I can not revert
>> this. Why do you really want a blank password anyway?
I'll think about this over the weekend. I don't like breaking back
compat either. I'll have to refactor a good bit of code to do this b/c
the caching checks for definedness to see if its in the cache.

Lets get 1.07 out the door, see modperl[...]perl.apache.org, then we'll come
back for this.
#   Sun May 11 12:53:11 2008 http://diafour.livejournal.com/ - Correspondence added  
[text/plain 627b]
Суб. Май 10 16:57:12 2008, PGOLLUCCI писал:
> http://diafour.livejournal.com/ via RT wrote:
> >> There are other changes for why this is neccessary. I can not revert
> >> this. Why do you really want a blank password anyway?
> I'll think about this over the weekend. I don't like breaking back
> compat either. I'll have to refactor a good bit of code to do this b/c
> the caching checks for definedness to see if its in the cache.
>
> Lets get 1.07 out the door, see modperl[...]perl.apache.org, then we'll come
> back for this.
>

OK!

I don't even think about caching of blank passwords... It is really tricky!
#   Thu May 15 23:43:20 2008 PGOLLUCCI - Taken  
#   Thu May 15 23:48:12 2008 PGOLLUCCI - Subject changed from (no value) to 'back compat breakage: $passwd definedness checks'  
#   Thu May 15 23:48:13 2008 PGOLLUCCI - Status changed from 'open' to 'stalled'