Actually, this patch is incorrect. vadduser() takes the plaintext password, regardless of whether CLEAR_PASS is defined.

The current code behaves as it should.

--
Tom Collins  -  [EMAIL PROTECTED]
QmailAdmin: http://qmailadmin.sf.net/  Vpopmail: http://vpopmail.sf.net/

On Mar 17, 2006, at 6:23 AM, Riccardo Bini wrote:

Patch for checking password length.
Bye
Rick


--- vpopmail.c  2005-05-23 18:12:36.000000000 +0200
+++ /home/rick/sorgenti/vpopmail-5.4.12/vpopmail.c      2006-03-17
14:52:01.000000000 +0100
@@ -457,7 +457,11 @@
if ( strlen(domain) > MAX_PW_DOMAIN ) return(VA_DOMAIN_NAME_TOO_LONG);
   if ( strlen(domain) < 3) return(VA_INVALID_DOMAIN_NAME);

+  if ( strlen(password) > MAX_PW_PASS )  return(VA_PASSWD_TOO_LONG);
+#ifdef CLEAR_PASS
if ( strlen(password) > MAX_PW_CLEAR_PASSWD ) return(VA_PASSWD_TOO_LONG);
+#endif
+
   if ( strlen(gecos) > MAX_PW_GECOS )    return(VA_GECOS_TOO_LONG);

   umask(VPOPMAIL_UMASK);
@@ -1350,7 +1354,11 @@
   if ( strlen(username) == 1 ) return(VA_ILLEGAL_USERNAME);
 #endif
if ( strlen(domain) > MAX_PW_DOMAIN ) return(VA_DOMAIN_NAME_TOO_LONG); - if ( strlen(password) > MAX_PW_CLEAR_PASSWD ) return(VA_PASSWD_TOO_LONG);
+
+  if ( strlen(password) > MAX_PW_PASS )  return(VA_PASSWD_TOO_LONG);
+#ifdef CLEAR_PASS
+ if ( strlen(password) > MAX_PW_CLEAR_PASSWD ) return(VA_PASSWD_TOO_LONG);
+#endif

   lowerit(username);
   lowerit(domain);



Reply via email to