Hi David
Thank you for the suggestions.
I can also imagine other possibilities along similar lines, like removing
the file-specific password file when the user changes setting to empty
password, or removing the registration of the password file.
You seem to confirm implicitly that empty password is not a useable option
when using a password file. It seems that the mismatch between what a
browser sends back and what is in the password file, when both of these
correspond to the empty password, is intentional. I would be curios to know
whether this is defined in some standard, and how is it implemented.
Best regards
Rudi Farkas
On Sun, Oct 5, 2008 at 12:38 AM, David Lethe <[EMAIL PROTECTED]> wrote:
>
>
>
>
> *From:* Rudi Farkas [mailto:[EMAIL PROTECTED]
> *Sent:* Thursday, October 02, 2008 2:27 PM
> *To:* [email protected]
> *Subject:* [shttpd-general] shttpd : can we have an empty password ?
>
>
>
> I have the requirement to 'protect' a specific file served by shttpd with
> an empty password.
> Leaving aside the question whether the requirement is reasonable, is it
> possible to implement it using a password entry in a shttpd password file ?
> I tried to do this, but shttpd refuses the user response when the password
> file specifies an empty password and browser user supplies an empty
> password.
>
> Is this fundamentally impossible, or am I doing something wrong ?
>
>
> Here is my experiment that illustrates the problem :
>
> 1- install shttpd-1.42 on WinXP from the installer, to the default
> directory C:\shttpd-1.42
>
> 2- modify the file shttpd.conf thus (keeps all files in the same directory)
> :
>
> # SHTTPD web server configuration file.
> # Lines starting with '#' and empty lines are ignored.
> # For detailed description, visit
> http://shttpd.sourceforge.net/shttpd.1.txt
>
> root .
> ports 80,443s
> systray yes
> access_log .\shttpd_access_log.txt
> error_log .\shttpd_error_log.txt
> auth_realm mydomain.com
> protect /full.html=.pwdfull,/empty.html=.pwdempty
>
> 3- create 3 simple html files
>
> \shttpd-1.42\empty.html
> \shttpd-1.42\full.html
> \shttpd-1.42\index.html
>
> 4- create 2 password files
>
> C:\shttpd-1.42>shttpd -A .pwdempty mydomain.com me ""
> C:\shttpd-1.42>shttpd -A .pwdfull mydomain.com me full
>
> 5- launch server
>
> C:\shttpd-1.42>shttpd
> Loading config file shttpd.conf
>
> 6- open a bowser (IE7 or FF3 in my case) and navigate to http://localhost
>
> Browser opens index.html - OK
>
> 7- navigate to http://localhost/full.html
>
> Browser asks for credentials - respond with "me" and "full"
> shttpd accepts the response and browser opens full.html - OK
>
> 8- navigate to http://localhost/empty.html
>
> Browser asks for credentials - respond with "me" and blank - type nothing
> in password field, press OK
> shttpd refuses the response and browser asks again for credentials ...
>
> This is where I am stuck - is there anything I can do so that shttpd would
> accept the response ?
>
> Attached is a zip file with all test files mentioned in the experiment.
>
>
> Any clarifications or ideas would be appreaciated.
>
> Rudi
>
> --------------------------------------------------------------------------------------------------
> Modify shttpd.c source code. When user enters empty password, code it as
> if they used a password of "StupidMoronRequest". When you write to the
> .htpasswd file, leave the password column empty. Then when the logic to
> authenticate a username/password pair, assume they entered that password.
> You'll have to create a custom login form that sends a non-blank password
> on, but accepts a blank password field. (or if they don't want to ever see
> a password field, then modify the HTML/Javascript for the logon form to
> sneakily send "StupidMoronRequest" as the password.
>
>
>
> Does the spec state that the password column in .htpasswd file needs to be
> empty, or just that the user must not be required to fill out a password
> field in the logon? In any event, above technique will work. It will
> be less work for you if you can just hardcode the MD5 equivalent of
> "StupidMoronRequest" in the authorization logic.
>
>
>
> David
>
>
>
>
>
>
>
>
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
shttpd-general mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shttpd-general
