Skip Menu |

Preferred bug tracker

Please visit the preferred bug tracker to report your issue.

This queue is for tickets about the Mojolicious-Plugin-BasicAuthPlus CPAN distribution.

Report information
The Basics
Id: 128133
Status: patched
Priority: 0/
Queue: Mojolicious-Plugin-BasicAuthPlus
People
Owner: blr [...] cpan.org
Requestors: jps [...] signal42.de
Cc:
AdminCc:
Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)

History Show all quoted text
  Sun Dec 30 03:40:01 2018 jps [...] signal42.de - Ticket created
Subject: Authentication failure with password containing colon
Date: Sun, 30 Dec 2018 09:14:50 +0100
To: bug-Mojolicious-Plugin-BasicAuthPlus [...] rt.cpan.org
From: Jan Paul Schmidt <jps [...] signal42.de>
When authenticating against AD using LDAP, passwords containing a colon fail. It looks like not all cases are considered. The following patch seems to fix this. $diff -u BasicAuthPlus.pm.orig BasicAuthPlus.pm --- BasicAuthPlus.pm.orig 2018-06-16 02:36:17.000000000 +0200 +++ BasicAuthPlus.pm 2018-12-30 09:03:59.003376597 +0100 @@ -42,16 +42,14 @@ # No credentials entered return {realm => $realm} if !$auth and !$callback and !$params; - # Split $auth into username and password (which may contain ":" ) - my ($auth_username, $auth_password) = ($1, $2) - if $auth =~ /^([^:]+):(.*)/; + my ($auth_username, $auth_password) = _split_auth($auth); # Hash for return data my %data; $data{username} = $auth_username if $auth_username; # Verification within callback - return (\%data, 1) if $callback and $callback->(split /:/, $auth, 2); + return (\%data, 1) if $callback and $callback->(_split_auth($auth)); # Verified with realm => username => password syntax return (\%data, 1) if $auth eq ($username || '') . ":$password"; @@ -98,7 +96,8 @@ } sub _split_auth { - my ($username, $password) = split ':', $_[0]; + # Split $auth into username and password (which may contain ":") + my ($username, $password) = split ':', $_[0], 2; $username = '' unless defined $username; $password = '' unless defined $password;
  Sun Dec 30 11:12:45 2018 blr [...] cpan.org - Taken
  Mon Dec 31 14:20:48 2018 blr [...] cpan.org - Correspondence added
On Sun Dec 30 03:40:01 2018, jps@signal42.de wrote: Show quoted text
> When authenticating against AD using LDAP, passwords containing a > colon fail. > > It looks like not all cases are considered. > > The following patch seems to fix this. > > $diff -u BasicAuthPlus.pm.orig BasicAuthPlus.pm > --- BasicAuthPlus.pm.orig 2018-06-16 02:36:17.000000000 +0200 > +++ BasicAuthPlus.pm 2018-12-30 09:03:59.003376597 +0100 > @@ -42,16 +42,14 @@ > # No credentials entered > return {realm => $realm} if !$auth and !$callback and !$params; > > - # Split $auth into username and password (which may contain ":" ) > - my ($auth_username, $auth_password) = ($1, $2) > - if $auth =~ /^([^:]+):(.*)/; > + my ($auth_username, $auth_password) = _split_auth($auth); > > # Hash for return data > my %data; > $data{username} = $auth_username if $auth_username; > > # Verification within callback > - return (\%data, 1) if $callback and $callback->(split /:/, $auth, > 2); > + return (\%data, 1) if $callback and $callback-
> >(_split_auth($auth));
> > # Verified with realm => username => password syntax > return (\%data, 1) if $auth eq ($username || '') . ":$password"; > @@ -98,7 +96,8 @@ > } > > sub _split_auth { > - my ($username, $password) = split ':', $_[0]; > + # Split $auth into username and password (which may contain ":") > + my ($username, $password) = split ':', $_[0], 2; > > $username = '' unless defined $username; > $password = '' unless defined $password;
Thanks for the patch! I'm uploading a new release of the module to GitHub and the CPAN now.
  Mon Dec 31 14:20:48 2018 The RT System itself - Status changed from 'new' to 'open'
  Mon Dec 31 14:20:49 2018 blr [...] cpan.org - Status changed from 'open' to 'patched'