Skip Menu |

This queue is for tickets about the Apache-DBI CPAN distribution.

Report information
The Basics
Id: 31003
Status: stalled
Priority: 0/
Queue: Apache-DBI
People
Owner: pgollucci [...] p6m7g8.com
Requestors: diafour [...] gmail.com
Cc:
AdminCc:
Bug Information
Severity: Normal
Broken in: 1.06
Fixed in: (no value)

History Show all quoted text
  Tue Nov 27 09:09:31 2007 http://diafour.livejournal.com/ - Ticket created
I used "Auth_DBI_nopasswd on" and empty password in DB. But in 1.06 i got this in Apache logs: "[Tue Nov 27 14:14:50 2007] [error] access to / failed for xxx.xxx.xxx.xxx, reason: 30095 Apache::AuthDBI::authen user USERNAME: empty password(s) rejected". The reason was line number 396 in Apache/AuthDBI.pm: -unless($passwd) { +unless(defined $passwd) { This clause like it was in version 0.93 : 314 if (!defined($passwd)) { # not found in database I use: Perl v5.8.8 built for i686-linux Apache::AuthDBI 1.06
  Fri May 09 18:39:45 2008 pgollucci [...] p6m7g8.com - Correspondence added
From: pgollucci [...] p6m7g8.com
On Tue Nov 27 09:09:31 2007, http://diafour.livejournal.com/ wrote: Show quoted text
> I used "Auth_DBI_nopasswd on" and empty password in DB. But in 1.06 i > got this in Apache logs: "[Tue Nov 27 14:14:50 2007] [error] access > to / failed for xxx.xxx.xxx.xxx, reason: 30095 > Apache::AuthDBI::authen user USERNAME: empty password(s) rejected". > > The reason was line number 396 in Apache/AuthDBI.pm: > -unless($passwd) { > +unless(defined $passwd) { > > This clause like it was in version 0.93 : > 314 if (!defined($passwd)) { # not found in database > > I use: > Perl v5.8.8 built for i686-linux > Apache::AuthDBI 1.06
There are other changes for why this is neccessary. I can not revert this. Why do you really want a blank password anyway?
  Fri May 09 18:39:48 2008 The RT System itself - Status changed from 'new' to 'open'
  Sat May 10 12:55:20 2008 http://diafour.livejournal.com/ - Correspondence added
Show quoted text
> > There are other changes for why this is neccessary. I can not revert > this. Why do you really want a blank password anyway? >
I use this approach in a trusted system. The username is entered with a barcode scanner that acts like a keyboard - it sends "barcode_string<Enter>" to a browser. We are not using custom script to authenticate because Apache::AuthDBI was used as authentication system before "blank passwords" era =) Description from man Apache::AuthDBI: "If the nopasswd directive is set to 'on', any password is accepted." Here is a block that separate blank password and absent user: AuthDBI.pm 1.06 381: # so we can distinguish later on between no password and empty password undef $passwd if 0 == $cnt; I suppose !defined($passwd) - absent user (or no password) and $passwd eq '' - blank password. But "unless($passwd){" block do not distinguish blank passwords and absent user and "Auth_DBI_nopasswd" become useless. May be AuthDBI should provide magic password string ("<EMPTY>" or similar) to guarantee distinguish between no password and blank password?
  Sat May 10 16:57:12 2008 pgollucci [...] p6m7g8.com - Correspondence added
Subject: Re: [rt.cpan.org #31003]
Date: Sat, 10 May 2008 16:56:35 -0400
To: bug-Apache-DBI [...] rt.cpan.org
From: "Philip M. Gollucci" <pgollucci [...] p6m7g8.com>
http://diafour.livejournal.com/ via RT wrote: Show quoted text
>> There are other changes for why this is neccessary. I can not revert >> this. Why do you really want a blank password anyway?
I'll think about this over the weekend. I don't like breaking back compat either. I'll have to refactor a good bit of code to do this b/c the caching checks for definedness to see if its in the cache. Lets get 1.07 out the door, see modperl@perl.apache.org, then we'll come back for this.
  Sun May 11 12:53:11 2008 http://diafour.livejournal.com/ - Correspondence added
Суб. Май 10 16:57:12 2008, PGOLLUCCI писал: Show quoted text
> http://diafour.livejournal.com/ via RT wrote:
> >> There are other changes for why this is neccessary. I can not revert > >> this. Why do you really want a blank password anyway?
> I'll think about this over the weekend. I don't like breaking back > compat either. I'll have to refactor a good bit of code to do this b/c > the caching checks for definedness to see if its in the cache. > > Lets get 1.07 out the door, see modperl@perl.apache.org, then we'll come > back for this. >
OK! I don't even think about caching of blank passwords... It is really tricky!
  Thu May 15 23:43:20 2008 pgollucci [...] p6m7g8.com - Taken
  Thu May 15 23:48:12 2008 pgollucci [...] p6m7g8.com - Subject changed from (no value) to 'back compat breakage: $passwd definedness checks'
  Thu May 15 23:48:13 2008 pgollucci [...] p6m7g8.com - Status changed from 'open' to 'stalled'