Skip Menu |
 

This queue is for tickets about the Apache-Htpasswd CPAN distribution.

Report information
The Basics
Id: 14973
Status: resolved
Priority: 0/
Queue: Apache-Htpasswd

People
Owner: Nobody in particular
Requestors: chris+rt [...] chrisdolan.net
Cc:
AdminCc:

Bug Information
Severity: Normal
Broken in: 1.6.0
Fixed in: (no value)



Subject: calling htpasswd() with an old password that is a single digit is misinterpreted
Download (untitled) / with headers
text/plain 510b
If I have a .htpasswd file where my password is a single digit, then I cannot tell htpasswd() to validate that password. Consequently, setting my password to a single digit is an invitation to change my password without validation. This is because the old-password argument in conflated with the validation check boolean, which is a design error, IMO. Fortunately, passwords of a single digit are not recommended anyway, so anyone who gets bitten by this misfeature was asking for trouble anyway. -- Chris
Download (untitled) / with headers
text/plain 952b
If having a single digit password poses a problem with the use of the module, then the module not accepting it is the least of the problems :-) I don't think that it's an error in design when a side-effect is not allowing someone to do something pretty stupid. I'm not sure I'm willing to spend time resolving that, but patches are welcome. Cheers, Kevin [guest - Fri Oct 7 13:52:58 2005]: Show quoted text
> If I have a .htpasswd file where my password is a single digit, then I > cannot tell htpasswd() to validate that password. Consequently, > setting my password to a single digit is an invitation to change my > password without validation. This is because the old-password > argument in conflated with the validation check boolean, which is a > design error, IMO. > > Fortunately, passwords of a single digit are not recommended anyway, > so anyone who gets bitten by this misfeature was asking for trouble > anyway. > > -- Chris
From: cdolan [...] cpan.org
Download (untitled) / with headers
text/plain 541b
[KMELTZ - Fri Oct 7 17:10:21 2005]: Show quoted text
> If having a single digit password poses a problem with the use of the > module, then the module not accepting it is the least of the problems > :-) I don't think that it's an error in design when a side-effect is not > allowing someone to do something pretty stupid. I'm not sure I'm willing > to spend time resolving that, but patches are welcome.
OK, fair enough. Perhaps a note in the POD simply noting that not-so-obvious side effect of the API would solve the problem adequately. Thanks, Chris
Download (untitled) / with headers
text/plain 702b
[guest - Fri Oct 7 17:22:41 2005]: Show quoted text
> [KMELTZ - Fri Oct 7 17:10:21 2005]: >
> > If having a single digit password poses a problem with the use of
> the
> > module, then the module not accepting it is the least of the
> problems
> > :-) I don't think that it's an error in design when a side-effect is
> not
> > allowing someone to do something pretty stupid. I'm not sure I'm
> willing
> > to spend time resolving that, but patches are welcome.
> > OK, fair enough. Perhaps a note in the POD simply noting that > not-so-obvious side effect of the API would solve the problem > adequately. > > Thanks, Chris
The latest version fixes how to call htpasswd to do this. Cheers, Kevin


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.