Improve handling of htpasswd file
|Reported by:||anonymous||Owned by:||Ryan J Ollos|
Extra entries and comments in htpasswd and htdigest files are ignored.
As explained in this pull request (https://github.com/edgewall/trac/pull/7) the handling of
htpasswd files for HTTP Basic Auth in
tracd is not very robust. In particular, it cannot handle basic formatting that other tools (notably apache and nginx) can handle — and it fails in ways that could allow logins that are not intended to be valid. It does not handle comment lines, so that logins that are intended to be commented out are just logins with a
# prefixed. Also, if more than just the login name and password are provided, the entire line is printed to the log, exposing passwords. This breaks compatibility with other tools like dokuwiki, which users more fields.
The fix is fairly simple: remove everything after a
#, and ignore all but the first two components of any line that remains.
Change History (6)
comment:4 by , 2 years ago
|Keywords:||htpasswd authentication added|
|Status:||new → assigned|