# HG changeset patch # User Pascal Bellard # Date 1322772815 -3600 # Node ID 8acb236117995e229924fa59d74b59fbf0b07057 # Parent e5421dd582ff36de8ceb96271c4c3c9a002424d1 busybox/httpd: add support for system passwords (again) diff -r e5421dd582ff -r 8acb23611799 busybox/stuff/busybox-1.18-httpd.u --- a/busybox/stuff/busybox-1.18-httpd.u Thu Dec 01 11:38:36 2011 +0100 +++ b/busybox/stuff/busybox-1.18-httpd.u Thu Dec 01 21:53:35 2011 +0100 @@ -107,7 +107,7 @@ + char *colon_after_user; + const char *passwd; +# if ENABLE_FEATURE_SHADOWPASSWDS && !ENABLE_PAM -+ char buffer[256]; /* will store passwd */ ++ char sp_buf[256]; +# endif - md5_passwd = strchr(cur->after_colon, ':'); @@ -177,9 +177,9 @@ + /* getspnam_r may return 0 yet set result to NULL. + * At least glibc 2.4 does this. Be extra paranoid here. */ + struct spwd *result = NULL; -+ r = getspnam_r(pw->pw_name, &spw, buffer, sizeof(buffer), &result); ++ r = getspnam_r(pw->pw_name, &spw, sp_buf, sizeof(sp_buf), &result); + if (r == 0 && result) -+ passwd = result->sp_pwdp; /* note: passwd is located into buffer ! */ ++ passwd = result->sp_pwdp; + } +# endif +# endif /* ENABLE_PAM */ @@ -210,9 +210,18 @@ /* Comparing plaintext "user:pass" in one go */ - if (strcmp(cur->after_colon, user_and_passwd) == 0) { - set_remoteuser_var: ++ r = strcmp(cur->after_colon, user_and_passwd); + end_check_passwd: -+ r = strcmp(cur->after_colon, user_and_passwd); + if (r == 0) { remoteuser = xstrndup(user_and_passwd, strchrnul(user_and_passwd, ':') - user_and_passwd); return 1; /* Ok */ +@@ -2112,7 +2233,7 @@ + /* Case: no "Authorization:" was seen, but page does require passwd. + * Check that with dummy user:pass */ + if (authorized < 0) +- authorized = check_user_passwd(urlcopy, ":"); ++ authorized = check_user_passwd(urlcopy, (char *) ""); + if (!authorized) + send_headers_and_exit(HTTP_UNAUTHORIZED); + #endif