Skip Menu |

This queue is for tickets about the Apache-Htpasswd CPAN distribution.

Report information
The Basics
Id: 14973
Status: resolved
Priority: 0/
Queue: Apache-Htpasswd
People
Owner: Nobody in particular
Requestors: chris+rt [...] chrisdolan.net
Cc:
AdminCc:
Bug Information
Severity: Normal
Broken in: 1.6.0
Fixed in: (no value)

History Show all quoted text
  Fri Oct 07 13:52:58 2005 Guest - Ticket created
Subject: calling htpasswd() with an old password that is a single digit is misinterpreted
If I have a .htpasswd file where my password is a single digit, then I cannot tell htpasswd() to validate that password. Consequently, setting my password to a single digit is an invitation to change my password without validation. This is because the old-password argument in conflated with the validation check boolean, which is a design error, IMO. Fortunately, passwords of a single digit are not recommended anyway, so anyone who gets bitten by this misfeature was asking for trouble anyway. -- Chris
  Fri Oct 07 17:10:21 2005 kmeltz [...] cpan.org - Ticket deleted
  Fri Oct 07 17:10:21 2005 kmeltz [...] cpan.org - Correspondence added
If having a single digit password poses a problem with the use of the module, then the module not accepting it is the least of the problems :-) I don't think that it's an error in design when a side-effect is not allowing someone to do something pretty stupid. I'm not sure I'm willing to spend time resolving that, but patches are welcome. Cheers, Kevin [guest - Fri Oct 7 13:52:58 2005]: Show quoted text
> If I have a .htpasswd file where my password is a single digit, then I > cannot tell htpasswd() to validate that password. Consequently, > setting my password to a single digit is an invitation to change my > password without validation. This is because the old-password > argument in conflated with the validation check boolean, which is a > design error, IMO. > > Fortunately, passwords of a single digit are not recommended anyway, > so anyone who gets bitten by this misfeature was asking for trouble > anyway. > > -- Chris
  Fri Oct 07 17:22:41 2005 The RT System itself - Status changed from 'dead' to 'open'
  Fri Oct 07 17:22:41 2005 Guest - Correspondence added
From: cdolan [...] cpan.org
[KMELTZ - Fri Oct 7 17:10:21 2005]: Show quoted text
> If having a single digit password poses a problem with the use of the > module, then the module not accepting it is the least of the problems > :-) I don't think that it's an error in design when a side-effect is not > allowing someone to do something pretty stupid. I'm not sure I'm willing > to spend time resolving that, but patches are welcome.
OK, fair enough. Perhaps a note in the POD simply noting that not-so-obvious side effect of the API would solve the problem adequately. Thanks, Chris
  Fri Nov 25 21:14:52 2005 kmeltz [...] cpan.org - Status changed from 'open' to 'resolved'
  Fri Nov 25 21:14:52 2005 kmeltz [...] cpan.org - Correspondence added
[guest - Fri Oct 7 17:22:41 2005]: Show quoted text
> [KMELTZ - Fri Oct 7 17:10:21 2005]: >
> > If having a single digit password poses a problem with the use of
> the
> > module, then the module not accepting it is the least of the
> problems
> > :-) I don't think that it's an error in design when a side-effect is
> not
> > allowing someone to do something pretty stupid. I'm not sure I'm
> willing
> > to spend time resolving that, but patches are welcome.
> > OK, fair enough. Perhaps a note in the POD simply noting that > not-so-obvious side effect of the API would solve the problem > adequately. > > Thanks, Chris
The latest version fixes how to call htpasswd to do this. Cheers, Kevin