Skip Menu |

This queue is for tickets about the Apache-AuthCookieDBI CPAN distribution.

Report information
The Basics
Id: 3673
Status: resolved
Priority: 0/
Queue: Apache-AuthCookieDBI
People
Owner: matisse [...] spamcop.net
Requestors: william [...] knowmad.com
Cc:
AdminCc:
Bug Information
Severity: Critical
Broken in: 1.19
Fixed in: (no value)

History Show all quoted text
  Fri Aug 29 19:09:44 2003 Guest - Ticket created
Subject: Incorrect processing of authen_cred()
Hi Jacob, I've been working with your module while learning how authentication and authorization work under mod_perl. I have discovered that the authen_cred subroutine in AuthCookieDBI is sending back 'bad' if the user or password are invalid. This prevents AuthCookie from ever setting the bad_credential flag because it thinks it is receiving a session key. Since you don't document this behavior and it breaks compatibility with AuthCookie, I am filing it as a critical bug. Also, I use warnings when running my scripts. Several lines of the module are producing 'use of uninitialized value' errors. I have tried to correct as many of these lines as I could find in order to avoid filling my logs. I can supply a patch for all of the above if you are interested. Thanks, William
  Fri Aug 29 19:22:38 2003 jacob [...] well.com - Correspondence added
Date: Fri, 29 Aug 2003 16:11:53 -0700
From: Jacob Davies <jacob [...] well.com>
To: Guest via RT <bug-Apache-AuthCookieDBI [...] rt.cpan.org>
Subject: Re: [cpan #3673] Incorrect processing of authen_cred()
RT-Send-Cc:
On Fri, Aug 29, 2003 at 07:09:45PM -0400, Guest via RT wrote: Show quoted text
> > This message about Apache-AuthCookieDBI was sent to you by guest <> via rt.cpan.org > > Full context and any attached attachments can be found at: > <URL: https://rt.cpan.org/Ticket/Display.html?id=3673 > > > Hi Jacob, > > I've been working with your module while learning how authentication and authorization work under mod_perl. I have discovered that the authen_cred subroutine in AuthCookieDBI is sending back 'bad' if the user or password are invalid. This prevents AuthCookie from ever setting the bad_credential flag because it thinks it is receiving a session key. Since you don't document this behavior and it breaks compatibility with AuthCookie, I am filing it as a critical bug. > > Also, I use warnings when running my scripts. Several lines of the module are producing 'use of uninitialized value' errors. I have tried to correct as many of these lines as I could find in order to avoid filling my logs. > > I can supply a patch for all of the above if you are interested.
I would love a patch. I am not actively using the module myself any more but I have a patch or two from other people I would like to apply and I'll then re-submit to CPAN. Thanks. -- Jacob Davies jacob@well.com
  Fri Sep 19 14:15:43 2003 Guest - Correspondence added
From: william [...] knowmad.com
[jacob@well.com - Fri Aug 29 19:22:38 2003]: Show quoted text
> I would love a patch. I am not actively using the module myself any > more > but I have a patch or two from other people I would like to apply and > I'll > then re-submit to CPAN. Thanks.
Jacob, Could you update me on the status of the new release to CPAN? Thanks, William
  Thu Oct 30 13:55:14 2003 Guest - Correspondence added
[jacob@well.com - Fri Aug 29 19:22:38 2003]: Show quoted text
> I would love a patch. I am not actively using the module myself any > more > but I have a patch or two from other people I would like to apply and > I'll > then re-submit to CPAN. Thanks.
Hi Jacob, I sent a patch to you almost two months ago but I don't see it listed in my correspondence here at rt.cpan.org. Did you get it? Are you planning on applying it anytime soon? I need to redeploy my code to a new server and would like to be able to just download the updated module from cpan instead of applying patches. Thanks, William
  Wed Apr 13 10:57:27 2005 Guest - Correspondence added
From: william [...] knowwmad.com
Matisse, Here's the patch mentioned in this thread. I'd really like to see this issue get resolved. It's against 1.19. If it doesn't go in let me know and I'll try to make it against 2.02. Also shouldn't the Makefile.PL include DBI as a prereq? Thanks, William
--- /tmp/AuthCookieDBI.pm Mon Jul 26 10:04:09 2004 +++ AuthCookieDBI.pm Fri Dec 12 17:02:38 2003 @@ -463,16 +463,16 @@ my $auth_name = $r->auth_name; # Username goes in credential_0 - my $user = $credentials[ 0 ]; - unless ( $user =~ /^.+$/ ) { + my $user = $credentials[ 0 ] || ''; + unless ( $user && $user =~ /^.+$/ ) { $r->log_reason( "Apache::AuthCookieDBI: no username supplied for auth realm $auth_name", $r->uri ); - return 'bad'; + return; } # Password goes in credential_1 - my $password = $credentials[ 1 ]; - unless ( $password =~ /^.+$/ ) { + my $password = $credentials[ 1 ] || ''; + unless ( $password && $password =~ /^.+$/ ) { $r->log_reason( "Apache::AuthCookieDBI: no password supplied for auth realm $auth_name", $r->uri ); - return 'bad'; + return; } # get the configuration information. @@ -483,7 +483,7 @@ $c{ DBI_user }, $c{ DBI_password } ); unless ( defined $dbh ) { $r->log_reason( "Apache::AuthCookieDBI: couldn't connect to $c{ DBI_DSN } for auth realm $auth_name", $r->uri ); - return 'bad'; + return; } my $sth = $dbh->prepare( <<"EOS" ); SELECT $c{ DBI_passwordfield } @@ -494,26 +494,26 @@ my( $crypted_password ) = $sth->fetchrow_array; unless ( defined $crypted_password ) { $r->log_reason( "Apache::AuthCookieDBI: couldn't select password from $c{ DBI_DSN }, $c{ DBI_userstable }, $c{ DBI_userfield } for user $user for auth realm $auth_name", $r->uri ); - return 'bad'; + return; } # now return unless the passwords match. if ( lc $c{ DBI_crypttype } eq 'none' ) { unless ( $password eq $crypted_password ) { $r->log_reason( "Apache::AuthCookieDBI: plaintext passwords didn't match for user $user for auth realm $auth_name", $r->uri ); - return 'bad'; + return; } } elsif ( lc $c{ DBI_crypttype } eq 'crypt' ) { my $salt = substr $crypted_password, 0, 2; unless ( crypt( $password, $salt ) eq $crypted_password ) { $r->log_reason( "Apache::AuthCookieDBI: crypted passwords didn't match for user $user for auth realm $auth_name", $r->uri ); - return 'bad'; + return; } } elsif ( lc $c{ DBI_crypttype } eq 'md5' ) { # NOTE: This may not be good enough. *** DEBUG *** unless ( md5_hex( $password ) eq $crypted_password ) { $r->log_reason( "Apache::AuthCookieDBI: MD5 passwords didn't match for user $user for auth realm $auth_name", $r->uri ); - return 'bad'; + return; } } @@ -548,7 +548,7 @@ my $secret_key = $SECRET_KEYS{ $auth_name }; unless ( defined $secret_key ) { $r->log_reason( "Apache::AuthCookieDBI: didn't have the secret key for auth realm $auth_name", $r->uri ); - return 'bad'; + return; } my $hash = md5_hex( join ':', $secret_key, md5_hex( join ':', $public_part, $secret_key @@ -646,6 +646,7 @@ } # decode the user my $user = _percent_decode $enc_user; + $issue_time ||= ''; unless ( $issue_time =~ /^\d{4}-\d{2}-\d{2}-\d{2}-\d{2}-\d{2}$/ ) { $r->log_reason( "Apache::AuthCookieDBI: bad issue time $issue_time recovered from ticket for user $user for auth_realm $auth_name", $r->uri ); return undef;
  Wed Apr 13 12:44:29 2005 matisse [...] spamcop.net - Correspondence added
Thanks again, I will check. I also need to figure out why I don't get rt email about this module. (Jacob forwarded some to me.)
  Mon Jul 25 13:44:29 2005 Guest - Correspondence added
From: william [...] knowwmad.com
[MATISSE - Wed Apr 13 12:44:29 2005]: Show quoted text
> Thanks again, > > I will check. > > I also need to figure out why I don't get rt email about this module. > (Jacob forwarded some to me.)
Hi Matisse, Any updates on the patch or your access to RT? Thanks, William
  Tue Jul 26 00:57:50 2005 matisse [...] spamcop.net - Correspondence added
[guest - Mon Jul 25 13:44:29 2005]: Show quoted text
> > Hi Matisse, > > Any updates on the patch or your access to RT? > > > Thanks, > William
Thanks for sticking with this - I think I have access. I've attached a new version of AuthCookieDBI that is not yet on CPAN - this incorporates changes similar to and/or based on your patch. Note that this is a mod_perl 2 version - I haven't done any new work on the mod_perl 1.x version. Will this work for you?

Message body is not shown because it is too large.

  Tue Jul 26 00:57:51 2005 matisse [...] spamcop.net - Given to MATISSE
  Tue Jul 26 00:57:51 2005 matisse [...] spamcop.net - Status changed from 'new' to 'open'
  Tue Jul 26 15:40:36 2005 Guest - Correspondence added
From: william [...] knowwmad.com
[MATISSE - Tue Jul 26 00:57:50 2005]: Show quoted text
> Thanks for sticking with this - I think I have access. > I've attached a new version of AuthCookieDBI that is not yet on CPAN - > this incorporates changes similar to and/or based on your patch. > > Will this work for you?
Actually, I'm already using this version on my production server which was converted over recently to mp2. It must be working correctly or I'd be seeing problems. The patch that I attached back in April should apply cleanly against the mp1 version if you care to update it and close out this ticket. Thanks for maintaining this module, William
  Wed Sep 03 14:06:52 2008 WMCKEE [...] cpan.org - Correspondence added
Matisse, I think this issue is resolved now. Can you close out this ticket? William -- Knowmad Technologies http://www.knowmad.com
  Wed Sep 03 14:33:56 2008 matisse [...] spamcop.net - Correspondence added
Closing, per email reminder.
  Wed Sep 03 14:33:59 2008 matisse [...] spamcop.net - Status changed from 'open' to 'resolved'