In data domenica 3 giugno 2012 21:25:51, Adam Lyle ha scritto:
> Greetings,
>
> I'll start by saying that I am not a C programmer, but I have been
> looking through the source code trying to get this functionality to
> work. Here's my end goal.
>
> The username is converted to lowercase
> The password is converted to lowercase
> They are compared and if the same or similar an error is generated.
>
> Now, I know that this is similar to the trivial passwords check, but
> there is a difference that I will explain.
>
> I have patched qmailamin 1.2.15 to use the cracklib patch, and that is
> working well. I enabled trivial password checking and that works,
> mostly. I have been able to still get by a weak combination using the
> following:
> username: TestWeak1
> password: TestWeak1
>
> What I believe is happening is that qmailadmin is converting the
> username to lowercase at some point but leaving the password
> unaltered. When it does the strstr compare it doesn't match, so it
> passes the combination as being good.
>
>
> I tried cobbling this together:
> GetValue(TmpCGI,Newu, "newu=", tolower(Newu));
> GetValue(TmpCGI,Password1, "password1=", tolower(Password1));
> if ( strstr(Newu,Password1) !=NULL ) {
> snprintf (StatusMessage, "Bad username and password combination,
> to similar - %s\n", html_text[175]);
> adduser();
> vclose();
> exit(0);
> }
>
> But while that compiles without an error, qmailadmin fails when I try
> to add a new user.
>
> I've tried searching various C programming pages, but without a solid
> frame of reference I am just taking stabs in the dark.
>
> Does anyone have a way to include this functionality??
>
> Thanks,
> -Adam
> Watch better! The tolower function only changes to lowercase a char, not a string. What you need to do is build a function that iterates through the string and changes ALL the chars to lowercase. Anyway, I posted some time ago a patch to check that the password is not a subset of the username; it doesn't convert both to lowercase (or uppercase, for that matter) to do the check, so it doesn't do EXACTLY what are you trying to do, but if you are interested I can repost it. -- Simone Lazzaris | Responsabile aree Datacenter e VoIP Interactive Network srl | via Roggia Vignola 9, 24047 Treviglio (BG) Tel. 0363 1970352 | Fax 0363.1971971 | www.interactive.eu Avviso di riservatezza Questo messaggio ed ogni file allegato sono confidenziali e si intendono riservati ai soli destinatari. Se ha ricevuto questo messaggio per errore, per cortesia avvisi subito il mittente e distrugga l'originale ed ogni copia della comunicazione, ai sensi delle vigenti norme di legge relative al trattamento dei dati personali. Il titolare del trattamento dei dati ha adottato opportune policies in conformità con quanto previsto dal Provv. del Garante della Privacy del 1° Marzo 2007; pertanto si precisa che questo messaggio ha natura non personale e le relative risposte potranno quindi essere conosciute e/o visualizzate nell'organizzazione di appartenenza del mittente. L’utilizzo, la diffusione, distribuzione e/o copiatura del documento trasmesso da parte di qualsiasi soggetto diverso dal destinatario è proibita, ai sensi dell’art. 616 c.p., del vigente D. Lgs. n. 196/2003 e delle successive modificazioni.
<<logo2_interactive.png>>
signature.asc
Description: This is a digitally signed message part.
!DSPAM:4fcc68b434201518716893!
