BUG/MEDIUM: config: userlists should ensure that encrypted passwords are supported

When an unknown encryption algorithm is used in userlists or the password is not pasted correctly in the configuration, http authentication silently fails. An initial check is now performed during the configuration parsing, in order to verify that the encrypted password is supported. An unsupported password will fail with a fatal error. This patch should be backported to 1.4 and 1.5.
2025-08-09 08:37:04 +02:00 · 2014-08-29 20:20:02 +02:00 · 2014-08-29 20:20:02 +02:00 · 1a0191d2ff
commit 1a0191d2ff
parent c82279c5fc
1 changed files with 18 additions and 1 deletions
--- a/src/cfgparse.c
+++ b/src/cfgparse.c
@ -10,6 +10,16 @@
 *
 */

+#ifdef CONFIG_HAP_CRYPT
+/* This is to have crypt() defined on Linux */
+#define _GNU_SOURCE
+
+#ifdef NEED_CRYPT_H
+/* some platforms such as Solaris need this */
+#include <crypt.h>
+#endif
+#endif /* CONFIG_HAP_CRYPT */
+
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
@ -5741,7 +5751,14 @@ cfg_parse_users(const char *file, int linenum, char **args, int kwm)

 		while (*args[cur_arg]) {
 			if (!strcmp(args[cur_arg], "password")) {
-#ifndef CONFIG_HAP_CRYPT
+#ifdef CONFIG_HAP_CRYPT
+				if (!crypt("", args[cur_arg + 1])) {
+					Alert("parsing [%s:%d]: the encrypted password used for user '%s' is not supported by crypt(3).\n",
+						file, linenum, newuser->user);
+					err_code |= ERR_ALERT | ERR_FATAL;
+					goto out;
+				}
+#else
 				Warning("parsing [%s:%d]: no crypt(3) support compiled, encrypted passwords will not work.\n",
 					file, linenum);
 				err_code |= ERR_ALERT;