Skip Menu |
 

This queue is for tickets about the Apache-DBI CPAN distribution.

Report information
The Basics
Id: 31003
Status: stalled
Priority: 0/
Queue: Apache-DBI

People
Owner: pgollucci [...] p6m7g8.com
Requestors: diafour [...] gmail.com
Cc:
AdminCc:

Bug Information
Severity: Normal
Broken in: 1.06
Fixed in: (no value)



Download (untitled) / with headers
text/plain 515b
I used "Auth_DBI_nopasswd on" and empty password in DB. But in 1.06 i got this in Apache logs: "[Tue Nov 27 14:14:50 2007] [error] access to / failed for xxx.xxx.xxx.xxx, reason: 30095 Apache::AuthDBI::authen user USERNAME: empty password(s) rejected". The reason was line number 396 in Apache/AuthDBI.pm: -unless($passwd) { +unless(defined $passwd) { This clause like it was in version 0.93 : 314 if (!defined($passwd)) { # not found in database I use: Perl v5.8.8 built for i686-linux Apache::AuthDBI 1.06
From: pgollucci [...] p6m7g8.com
Download (untitled) / with headers
text/plain 749b
On Tue Nov 27 09:09:31 2007, http://diafour.livejournal.com/ wrote: Show quoted text
> I used "Auth_DBI_nopasswd on" and empty password in DB. But in 1.06 i > got this in Apache logs: "[Tue Nov 27 14:14:50 2007] [error] access > to / failed for xxx.xxx.xxx.xxx, reason: 30095 > Apache::AuthDBI::authen user USERNAME: empty password(s) rejected". > > The reason was line number 396 in Apache/AuthDBI.pm: > -unless($passwd) { > +unless(defined $passwd) { > > This clause like it was in version 0.93 : > 314 if (!defined($passwd)) { # not found in database > > I use: > Perl v5.8.8 built for i686-linux > Apache::AuthDBI 1.06
There are other changes for why this is neccessary. I can not revert this. Why do you really want a blank password anyway?
Show quoted text
> > There are other changes for why this is neccessary. I can not revert > this. Why do you really want a blank password anyway? >
I use this approach in a trusted system. The username is entered with a barcode scanner that acts like a keyboard - it sends "barcode_string<Enter>" to a browser. We are not using custom script to authenticate because Apache::AuthDBI was used as authentication system before "blank passwords" era =) Description from man Apache::AuthDBI: "If the nopasswd directive is set to 'on', any password is accepted." Here is a block that separate blank password and absent user: AuthDBI.pm 1.06 381: # so we can distinguish later on between no password and empty password undef $passwd if 0 == $cnt; I suppose !defined($passwd) - absent user (or no password) and $passwd eq '' - blank password. But "unless($passwd){" block do not distinguish blank passwords and absent user and "Auth_DBI_nopasswd" become useless. May be AuthDBI should provide magic password string ("<EMPTY>" or similar) to guarantee distinguish between no password and blank password?
Subject: Re: [rt.cpan.org #31003]
Date: Sat, 10 May 2008 16:56:35 -0400
To: bug-Apache-DBI [...] rt.cpan.org
From: "Philip M. Gollucci" <pgollucci [...] p6m7g8.com>
Download (untitled) / with headers
text/plain 471b
http://diafour.livejournal.com/ via RT wrote: Show quoted text
>> There are other changes for why this is neccessary. I can not revert >> this. Why do you really want a blank password anyway?
I'll think about this over the weekend. I don't like breaking back compat either. I'll have to refactor a good bit of code to do this b/c the caching checks for definedness to see if its in the cache. Lets get 1.07 out the door, see modperl@perl.apache.org, then we'll come back for this.
Download (untitled) / with headers
text/plain 627b
Суб. Май 10 16:57:12 2008, PGOLLUCCI писал: Show quoted text
> http://diafour.livejournal.com/ via RT wrote:
> >> There are other changes for why this is neccessary. I can not revert > >> this. Why do you really want a blank password anyway?
> I'll think about this over the weekend. I don't like breaking back > compat either. I'll have to refactor a good bit of code to do this b/c > the caching checks for definedness to see if its in the cache. > > Lets get 1.07 out the door, see modperl@perl.apache.org, then we'll come > back for this. >
OK! I don't even think about caching of blank passwords... It is really tricky!


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.