Hi everyone,
when logging into RT having czech keyboard accidentaly set, wide
characters may be accidentally supplied to the password routine. (Czech
keyboard have letters with wedges in the same row as numbers).
This causes error shown in attached page, revealing password to
bystanders as well as needlessly showing RT path.
I am providing a quick patch that catches the exception generated by
crypt and makes RT behave like ordinary bad password was provided.
Martin
--
Mgr. Martin Drasar dra...@ics.muni.cz
Network Security Department http://ics.muni.cz/
CSIRT-MU http://www.muni.cz/csirt
Institute of Computer Science, Masaryk University, Brno, Czech Republic
PGP Key ID: 0x944BC925
System error
error:
Wide character in crypt at /home/RT/RT-3.8.7/bin/../lib/RT/User_Overlay.pm line 1037.
context:
...
1033:
return(1);
1034:
}
1035:
1036:
# if it's a historical password we say ok.
1037:
if ($self-__Value('Password') eq crypt($value, $self-__Value('Password'))
1038:
or $self-_GeneratePasswordBase64($value) eq $self-__Value('Password'))
1039:
{
1040:
# ...but upgrade the legacy password inplace.
1041:
$self-SUPER::SetPassword( $self-_GeneratePassword($value) );
...
code stack:
/home/RT/RT-3.8.7/bin/../lib/RT/User_Overlay.pm:1037
/home/RT/RT-3.8.7/bin/../lib/RT/Interface/Web.pm:423
/home/RT/RT-3.8.7/bin/../lib/RT/Interface/Web.pm:208
/home/RT/RT-3.8.7/share/html/autohandler:53
raw error
Wide character in crypt at /home/RT/RT-3.8.7/bin/../lib/RT/User_Overlay.pm line 1037.
Trace begun at /usr/share/perl5/HTML/Mason/Exceptions.pm line 129
HTML::Mason::Exceptions::rethrow_exception('Wide character in crypt at /home/RT/RT-3.8.7/bin/../lib/RT/User_Overlay.pm line 1037.^J') called at /home/RT/RT-3.8.7/bin/../lib/RT/User_Overlay.pm line 1037
RT::User::IsPassword('RT::CurrentUser=HASH(0x104466a0)', 'ÄÅ¡ÄÅžM-}M-aM-m') called at /home/RT/RT-3.8.7/bin/../lib/RT/Interface/Web.pm line 423
RT::Interface::Web::AttemptPasswordAuthentication('HASH(0x1157dc98)') called at /home/RT/RT-3.8.7/bin/../lib/RT/Interface/Web.pm line 208
RT::Interface::Web::HandleRequest('HASH(0x1157dc98)') called at /home/RT/RT-3.8.7/share/html/autohandler line 53
HTML::Mason::Commands::__ANON__('pass', 'M-DM-^[M-EM-!M-DM-^MM-EM-^YM-EM-M-CM-=M-CM-!M-CM--', 'user', 'drasar') called at /usr/share/perl5/HTML/Mason/Component.pm line 135
HTML::Mason::Component::run('HTML::Mason::Component::FileBased=HASH(0x105a11f8)', 'pass', 'M-DM-^[M-EM-!M-DM-^MM-EM-^YM-EM-M-CM-=M-CM-!M-CM--', 'user', 'drasar') called at /usr/share/perl5/HTML/Mason/Request.pm line 1273
eval {...} at /usr/share/perl5/HTML/Mason/Request.pm line 1268
HTML::Mason::Request::comp(undef, undef, undef, 'pass', 'M-DM-^[M-EM-!M-DM-^MM-EM-^YM-EM-M-CM-=M-CM-!M-CM--', 'user', 'drasar') called at /usr/share/perl5/HTML/Mason/Request.pm line 467
eval {...} at /usr/share/perl5/HTML/Mason/Request.pm line 467
eval {...} at /usr/share/perl5/HTML/Mason/Request.pm line 419
HTML::Mason::Request::exec('RT::Interface::Web::Request=HASH(0x113f97b8)') called at /usr/share/perl5/HTML/Mason/ApacheHandler.pm line 165
HTML::Mason::Request::ApacheHandler::exec('RT::Interface::Web::Request=HASH(0x113f97b8)') called at /usr/share/perl5/HTML/Mason/ApacheHandler.pm line 831
HTML::Mason::ApacheHandler::handle_request('HTML::Mason::ApacheHandler=HASH(0x104462f0)', 'Apache2::RequestRec=SCALAR(0x113c1290)') called at /home/RT/RT-3.8.7/bin/webmux.pl line 166
eval {...} at /home/RT/RT-3.8.7/bin/webmux.pl line 166
RT::Mason::handler('Apache2::RequestRec=SCALAR(0x113c1290)') called at -e line 0
eval {...} at -e line 0
--- User_Overlay.pm.bak 2010-04-20 11:45:52.0 +0200
+++ User_Overlay.pm 2010-04-20 11:54:19.0 +0200
@@ -1034,12 +1034,19 @@
}
# if it's a historical password we say ok.
-if ($self-__Value('Password') eq crypt($value, $self-__Value('Password'))
-or $self-_GeneratePasswordBase64($value) eq
$self-__Value('Password'))
+eval
{
-# ...but upgrade the legacy password inplace.
-$self-SUPER::SetPassword( $self-_GeneratePassword($value) );
-return(1);
+ if ($self-__Value('Password') eq crypt($value,
$self-__Value('Password'))
+ or $self-_GeneratePasswordBase64($value) eq
$self-__Value('Password'))
+ {
+ # ...but upgrade the legacy password inplace.
+ $self-SUPER::SetPassword( $self-_GeneratePassword($value) );
+ return(1);
+ }
+};
+if ($@) {
+ $RT::Logger-info(Caught