On Sun, Apr 11, 2010 at 1:08 PM, Evan Carroll li...@evancarroll.com wrote:
On Sun, Apr 11, 2010 at 12:31 AM, Andrew Rodland
and...@cleverdomain.org wrote:
Please, make some more public insults.
snip.
Guys, just fix or don't fix the broken or not broken problem and stop the
I don't know what the fix is -- it seems like doc or code would work.
The patch is already on github, it needs tests and some other
qualifications before it gets accepted.
--
Evan Carroll
System Lord of the Internets
___
List:
On Sun, Apr 11, 2010 at 12:31 AM, Andrew Rodland
and...@cleverdomain.org wrote:
Please, make some more public insults.
Your modus operandi consists of acting authoritative and aggressive in
the hopes of soliciting a negative reaction. I've never seen you be so
direct before.
I would be even
On Friday 09 April 2010 09:49:24 am Evan Carroll wrote:
The vulnerability was never against salted_hash. I've since learned
what Crypt::SaltedHash is I just don't believe I have a reason to use
it. Why would I want to use something that serializes the hash and
password into one database column
Why would you want the complexity of storing them separately when you could do
it the way every other system on the planet does it? Why would you add
duplicate functionality that's inferior to what it duplicates?
The crypt method might be popular in some applications and in some
libraries;
On Saturday 10 April 2010 11:21:27 am Evan Carroll wrote:
Also, I should point out that Crypt::SaltedHash permits the same
stupid idea of a static, non-random salt set up in the constructor.
This makes it slightly more fishy: why would you ever want to use this
module to do what I just did
On Sat, Apr 10, 2010 at 5:37 PM, Andrew Rodland and...@cleverdomain.org wrote:
That's not why that argument exists, that's not how it gets used, and that's
not how C::A::Cred::Password uses it. If you'd thought for half a second, it
might have occurred to you that that calling convention
Please, make some more public insults. I would be even further entertained if
you would make more sweeping declarations about modules you didn't even read
the documentation for and have never used in your life, and submitted some
more patches that duplicate functionality poorly.
You can put
On 9 Apr 2010, at 02:58, Evan Carroll wrote:
I already patched this with a fix, it is on github and I've linked to
it and posted it on rt. Janus told me he would give me maintenance to
post it on CPAN, and he hasn't followed through yet. It fixes the
problem by permitting you to pull in a
As far as I can tell, the whole point of this patch is aimed at the 'hashed'
password case only (rather than 'salted_hash').
The vulnerability was never against salted_hash. I've since learned
what Crypt::SaltedHash is I just don't believe I have a reason to use
it. Why would I want to use
On Fri, Apr 9, 2010 at 12:53 AM, Tomas Doran bobtf...@bobtfish.net wrote:
On 9 Apr 2010, at 03:05, Evan Carroll wrote:
http://github.com/EvanCarroll/Catalyst-Plugin-Authentication
Anyway, that's the repo -- Find the commits here:
This is actually a very unhelpful way to supply patches, as it makes the
maintainer have to do a whole chunk of work to get as your patch. As such,
given limited time, I haven't looked..
Here is the patch range for review:
On Fri, Apr 9, 2010 at 8:51 AM, Evan Carroll li...@evancarroll.com wrote:
Without any unnecessary commentary, here is the implementation of the
password_(pre|post)_salt_field, without other features that should be
patched separately.
http://codepeek.com/paste/4bbf456c0ae3049443a742a2
I
* In what circumstances was an attack possible?
ie. What combination of modules, options, auth methods.
* You use Catalyst::Authentication::Credential::Password.
* With the hashed password_type.
* And your database is compromised.
* Which versions were vulnerable, and if any, at what
On 08/04/10 16:21, Andrew Rodland wrote:
* In what circumstances was an attack possible?
ie. What combination of modules, options, auth methods.
* You use Catalyst::Authentication::Credential::Password.
* With the hashed password_type.
* And your database is compromised.
I'd like to
Gah, I posted the wrong URL.. If only we moved our mailing list to
AOL, I could undo the send.
http://github.com/EvanCarroll/Catalyst-Plugin-Authentication
Anyway, that's the repo -- Find the commits here:
http://github.com/EvanCarroll/Catalyst-Plugin-Authentication/commits/master
I'm not sure
So, a while back there was some.. slightly heated.. discussion about
security issues with C-P-A-Password.. or perhaps one of the modules it
uses internally.. in certain cases, if certain options are, or are not,
set. Then it quietened down without any apparent conclusion being reached.
Now
On Wed, Apr 7, 2010 at 6:15 PM, Toby Corkindale
toby.corkind...@strategicdata.com.au wrote:
So, a while back there was some.. slightly heated.. discussion about
security issues with C-P-A-Password.. or perhaps one of the modules it uses
internally.. in certain cases, if certain options are, or
18 matches
Mail list logo