Hi everyone, when logging into RT having czech keyboard accidentaly set, wide characters may be accidentally supplied to the password routine. (Czech keyboard have letters with wedges in the same row as numbers). This causes error shown in attached page, revealing password to bystanders as well as needlessly showing RT path.
I am providing a quick patch that catches the exception generated by crypt and makes RT behave like ordinary bad password was provided. Martin -- Mgr. Martin Drasar dra...@ics.muni.cz Network Security Department http://ics.muni.cz/ CSIRT-MU http://www.muni.cz/csirt Institute of Computer Science, Masaryk University, Brno, Czech Republic PGP Key ID: 0x944BC925
System error
error: | Wide character in crypt at /home/RT/RT-3.8.7/bin/../lib/RT/User_Overlay.pm line 1037. |
||||||||||||||||||||||
context: |
|
||||||||||||||||||||||
code stack: |
/home/RT/RT-3.8.7/bin/../lib/RT/User_Overlay.pm:1037 /home/RT/RT-3.8.7/bin/../lib/RT/Interface/Web.pm:423 /home/RT/RT-3.8.7/bin/../lib/RT/Interface/Web.pm:208 /home/RT/RT-3.8.7/share/html/autohandler:53 |
Wide character in crypt at /home/RT/RT-3.8.7/bin/../lib/RT/User_Overlay.pm line 1037. Trace begun at /usr/share/perl5/HTML/Mason/Exceptions.pm line 129 HTML::Mason::Exceptions::rethrow_exception('Wide character in crypt at /home/RT/RT-3.8.7/bin/../lib/RT/User_Overlay.pm line 1037.^J') called at /home/RT/RT-3.8.7/bin/../lib/RT/User_Overlay.pm line 1037 RT::User::IsPassword('RT::CurrentUser=HASH(0x104466a0)', 'ÄÅ¡ÄÅžM-}M-aM-m') called at /home/RT/RT-3.8.7/bin/../lib/RT/Interface/Web.pm line 423 RT::Interface::Web::AttemptPasswordAuthentication('HASH(0x1157dc98)') called at /home/RT/RT-3.8.7/bin/../lib/RT/Interface/Web.pm line 208 RT::Interface::Web::HandleRequest('HASH(0x1157dc98)') called at /home/RT/RT-3.8.7/share/html/autohandler line 53 HTML::Mason::Commands::__ANON__('pass', 'M-DM-^[M-EM-!M-DM-^MM-EM-^YM-EM->M-CM-=M-CM-!M-CM--', 'user', 'drasar') called at /usr/share/perl5/HTML/Mason/Component.pm line 135 HTML::Mason::Component::run('HTML::Mason::Component::FileBased=HASH(0x105a11f8)', 'pass', 'M-DM-^[M-EM-!M-DM-^MM-EM-^YM-EM->M-CM-=M-CM-!M-CM--', 'user', 'drasar') called at /usr/share/perl5/HTML/Mason/Request.pm line 1273 eval {...} at /usr/share/perl5/HTML/Mason/Request.pm line 1268 HTML::Mason::Request::comp(undef, undef, undef, 'pass', 'M-DM-^[M-EM-!M-DM-^MM-EM-^YM-EM->M-CM-=M-CM-!M-CM--', 'user', 'drasar') called at /usr/share/perl5/HTML/Mason/Request.pm line 467 eval {...} at /usr/share/perl5/HTML/Mason/Request.pm line 467 eval {...} at /usr/share/perl5/HTML/Mason/Request.pm line 419 HTML::Mason::Request::exec('RT::Interface::Web::Request=HASH(0x113f97b8)') called at /usr/share/perl5/HTML/Mason/ApacheHandler.pm line 165 HTML::Mason::Request::ApacheHandler::exec('RT::Interface::Web::Request=HASH(0x113f97b8)') called at /usr/share/perl5/HTML/Mason/ApacheHandler.pm line 831 HTML::Mason::ApacheHandler::handle_request('HTML::Mason::ApacheHandler=HASH(0x104462f0)', 'Apache2::RequestRec=SCALAR(0x113c1290)') called at /home/RT/RT-3.8.7/bin/webmux.pl line 166 eval {...} at /home/RT/RT-3.8.7/bin/webmux.pl line 166 RT::Mason::handler('Apache2::RequestRec=SCALAR(0x113c1290)') called at -e line 0 eval {...} at -e line 0
--- User_Overlay.pm.bak 2010-04-20 11:45:52.000000000 +0200 +++ User_Overlay.pm 2010-04-20 11:54:19.000000000 +0200 @@ -1034,12 +1034,19 @@ } # if it's a historical password we say ok. - if ($self->__Value('Password') eq crypt($value, $self->__Value('Password')) - or $self->_GeneratePasswordBase64($value) eq $self->__Value('Password')) + eval { - # ...but upgrade the legacy password inplace. - $self->SUPER::SetPassword( $self->_GeneratePassword($value) ); - return(1); + if ($self->__Value('Password') eq crypt($value, $self->__Value('Password')) + or $self->_GeneratePasswordBase64($value) eq $self->__Value('Password')) + { + # ...but upgrade the legacy password inplace. + $self->SUPER::SetPassword( $self->_GeneratePassword($value) ); + return(1); + } + }; + if ($@) { + $RT::Logger->info("Caught exception: $@"); + return(undef); } # no password check has succeeded. get out
Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com