Thus said Andy Bradford on Sat, 27 Oct 2001 11:31:40 MDT: > the middle. It did fail as reported. I haven't had the time to look > the into code to find out where this might be failing. Any ideas?
Ok, after taking some time to look into the code it would appear that it isn't actually a bug, but a feature in a function called badstr. Now, it seems that badstr is being used both on the username and the password that are entered from the form, however, I think this is too generic. While it may not be common to have a username with a ';' in it, I don't see why a password cannot have a ';' in it. This could be accomplished by separating badstr into two functions: baduid and badpass. So, what of it Sam? What are the technical reasons for lumping bad characters for both username and password into one function? After looking at the way the user is authenticated with authdaemon, it doesn't seem that any shells are ever created since the information is passed through a socket to authdaemond. Even authdaemond itself forks and reads it's information through a pipe... Andy -- GnuPG ID 0xA63888C9 (D2DA 68C9 BB2B 26B4 8204 2219 A43E F450 A638 88C9) [-----------[system uptime]--------------------------------------------] 1:25pm up 34 days, 20:20, 7 users, load average: 1.93, 1.82, 1.71
