[PATCH]: use system passwords with httpd

Denys Vlasenko vda.linux at googlemail.com
Tue Nov 29 12:53:10 UTC 2011


On Sun, Nov 6, 2011 at 10:08 AM, Pascal Bellard
<pascal.bellard at ads-lu.com> wrote:
> In httpd.conf, users and passwds are stored with way: '/path:user:password'
> The following patch add '/path:user:*' to look for password in /etc/passwd
> and '/path:*:*' to allow any user account with a password.
>
> http://hg.slitaz.org/wok-undigest/raw-file/5545842dea8c/busybox/stuff/busybox-1.19-httpd.u
>
> The code is enabled by HTTPD_AUTH_MD5 feature.
> Both PAM and shadow passwords are supported.

                        const char *unencrypted =
strchr(user_and_passwd, ':') + 1;

what if user_and_passwd has no ':'?

                        const char *passwd = strchr(cur->after_colon, ':');
                        int user_len_p1 = unencrypted - user_and_passwd;
                        char username[256];

                        strncpy(username, user_and_passwd, user_len_p1);
                        username[user_len_p1 - 1] = '\0';

what if user_len_p1 > 256?

Please check my changes:

http://git.busybox.net/busybox/commit/?id=7291755439ad2f400df51a74b4e9a31a48f484b1

-- 
vda


More information about the busybox mailing list