A patch to fix - passwd storage desallocation - a wrong pam_end() call -pascal
> On Sun, Nov 6, 2011 at 10:08 AM, Pascal Bellard > <[email protected]> wrote: >> In httpd.conf, users and passwds are stored with way: >> '/path:user:password' >> The following patch add '/path:user:*' to look for password in >> /etc/passwd >> and '/path:*:*' to allow any user account with a password. >> >> http://hg.slitaz.org/wok-undigest/raw-file/5545842dea8c/busybox/stuff/busybox-1.19-httpd.u >> >> The code is enabled by HTTPD_AUTH_MD5 feature. >> Both PAM and shadow passwords are supported. > > const char *unencrypted = > strchr(user_and_passwd, ':') + 1; > > what if user_and_passwd has no ':'? > > const char *passwd = strchr(cur->after_colon, > ':'); > int user_len_p1 = unencrypted - user_and_passwd; > char username[256]; > > strncpy(username, user_and_passwd, user_len_p1); > username[user_len_p1 - 1] = '\0'; > > what if user_len_p1 > 256? > > Please check my changes: > > http://git.busybox.net/busybox/commit/?id=7291755439ad2f400df51a74b4e9a31a48f484b1 > > -- > vda >
httpd.u
Description: Binary data
_______________________________________________ busybox mailing list [email protected] http://lists.busybox.net/mailman/listinfo/busybox
