This queue is for tickets about the Apache-Htpasswd CPAN distribution.

Report information
The Basics
Id:
5483
Status:
resolved
Priority:
Low/Low

People
Owner:
Nobody in particular
Requestors:
info [...] keli.dk
Cc:
AdminCc:

BugTracker
Severity:
Important
Broken in:
1.5.5
Fixed in:
(no value)



Subject: Htpasswd always calls crypt with the same salt
After creating a few entries with Apache::Htpasswd I noticed, that all the entries had the same salt. The error looks to be on line 382 in function CryptPasswd where it tries to generate a salt for the crypt function: ($salt = substr ($0, 0, 2)) =~ tr/:/C/; As far as I understand this takes the first two letters of the path of the script running (replacing any :s with Cs). As the script location fairly constant, this will result in a very constant salt. As the functions for manipulating the password file don't allow supplying a custom salt for the hashing function, I consider this a major error. Following is an example on how to create a random salt for the crypt function: my @alphabet = ('.', '/', 0..9, 'A'..'Z', 'a'..'z'); my $salt = join '', @alphabet[rand 64, rand 64];


This service runs on Request Tracker, is sponsored by The Perl Foundation, and maintained by Best Practical Solutions.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.