Il 15/09/2015 15:03, Drew Wells ha scritto:
On 09/15/2015 11:00 AM, Tonix - Antonio Nati wrote:
Il 15/09/2015 11:03, Drew Wells ha scritto:
In vpopmail-5.5.0 there seems to be a bug in vpopmail.c where the password strength is checked even if a password isn't used (such as when -e is used to add the encrypted password). Patch attached.

I do not understand the problem.

Of course password strenght is checked every time, and if it founds a null/empty password it gives error back if password must have a minimum lenght.

Your patch instead permit to have null password even if strenght policy would not allow it.


The problem is is that vadduser.c can call vadduser() (in vpopmail.c) without a password. It does this in the situation where vadduser.c has had the options "-e" or "-n" passed to it, so if this is the case the password can't be checked againts the password strength rules. The underlying function vadduser() needs to be able to add a user with no password.

I realize additional controls are done before calling vadduser(); but I personally would prefer an explicit parameter added to vadduser for avoiding password check (it may be a further parameter having default = "check").
It would make developers more protected against unwanted security bugs.



        Inter@zioni            Interazioni di Antonio Nati


Reply via email to