| Subject: | password_for_user ignores password "0" |
Patch attached fixes the following problems in XML::Atom 0.05
* password_for_user breaks users with password "" or "0".
* auth_failure() reveals if a supplied username exists or not, in
response. It can be a vulnerability. I think it should return same
messages when an user doesn't exist and when a password is wrong.
* Doc fixes, that password_for_user should return undef, when username
lookup fails.
--
Tatsuhiko Miyagawa <miyagawa@livedoor.jp>
diff -ruP XML-Atom-0.05.orig/lib/XML/Atom/Server.pm XML-Atom-0.05/lib/XML/Atom/Server.pm
--- XML-Atom-0.05.orig/lib/XML/Atom/Server.pm 2004-04-20 15:12:30.000000000 +0900
+++ XML-Atom-0.05/lib/XML/Atom/Server.pm 2004-04-20 15:15:40.000000000 +0900
@@ -262,12 +262,12 @@
return $server->auth_failure(400, "X-WSSE requires $f")
unless $auth->{$f};
}
- my $password = $server->password_for_user($auth->{Username})
- or return $server->auth_failure(403, 'Invalid login');
+ my $password = $server->password_for_user($auth->{Username});
+ defined($password) or return $server->auth_failure(403, 'Invalid login');
my $expected = encode_base64(sha1(
$auth->{Nonce} . $auth->{Created} . $password
), '');
- return $server->auth_failure(403, 'X-WSSE PasswordDigest is incorrect')
+ return $server->auth_failure(403, 'Invalid login')
unless $expected eq $auth->{PasswordDigest};
return 1;
}
@@ -390,7 +390,8 @@
(from the WSSE header), I<password_for_user> should return that user's
password in plaintext. This will then be combined with the nonce and the
creation time to generate the digest, which will be compared with the
-digest sent in the WSSE header.
+digest sent in the WSSE header. If supplied username doesn't exists in
+your user database or alike, just return undef.
For example: