From: Todd K. Watson (tkw@southwestern.edu)
Date: Fri Aug 31 2001 - 08:35:08 CDT
Thanks Steve! That's a good one. Peter is close to cutting a 1.3 bug fix
version and that'll be in there.
I find it quite curious that the bug wasn't discovered sooner. I think it
is because of people's habits in choosing passwords. If people used more
special characters in their passwords (as they should -- myself included)
this bug would have raised its head sooner.
Todd
--
Todd K. Watson
Senior System & Network Administrator
Southwestern University, Georgetown, TX
tkw@southwestern.edu || TEL:512.863.1508 || FAX:512.863.1605
On Fri, 31 Aug 2001, Steve Hideg wrote:
> Folks,
>
> I've discovered an interesting bug in the netreg 1.2 code. I don't
> know if this has already been discussed or addressed, but I'll
> proceed to explain it below.
>
> In the subroutine get_input, there's the following line:
>
> $value =~ tr/+/ /;
>
> This line is part of some cleanup code to undo the conversion web
> browsers do to handle spaces in URLs. Web browsers change all spaces
> to "+" characters, and this line converts them back to spaces.
>
> I've run across a couple of instances where users had a "+" character
> in their passwords. The result is a modification of their password to
> include a space instead of "+", and authentication failure.
>
> To repair this, I've replaced the above line with the following:
>
> if($name ne 'pass')
> {$value =~ tr/+/ /;}
>
> This will undo the browser conversion on every parameter except the
> password parameter.
>
> Again, I don't know if this is an issue for anyone, or if it has been
> addressed already, but this is my solution.
>
> ++Steve
>
> _________________________________________________________________________
> Steve Hideg
> Technical Support Specialist, Saint Mary's College, Notre Dame IN
> <hideg@saintmarys.edu>
> _________________________________________________________________________
> "That's the sort of thing up with which we must not put." --W. Churchill
> **********************************************************************
> To unsubscribe from this list, send an e-mail message to
> majordomo@southwestern.edu containing a single line with the words:
> unsubscribe netreg
> Send requests for assistance to: owner-netreg@southwestern.edu
> **********************************************************************
>
**********************************************************************
To unsubscribe from this list, send an e-mail message to
majordomo@southwestern.edu containing a single line with the words:
unsubscribe netreg
Send requests for assistance to: owner-netreg@southwestern.edu
**********************************************************************
This archive was generated by hypermail 2.1.4 : Thu Aug 12 2004 - 12:01:36 CDT