Opened 13 years ago
Closed 13 years ago
#119 closed defect (invalid)
http auth accepts any password with correct prefix
Reported by: | Martin Loehnertz | Owned by: | somebody |
---|---|---|---|
Priority: | minor | Milestone: | |
Component: | nginx-module | Version: | 1.0.x |
Keywords: | Cc: | ||
uname -a: | Linux xxxx 2.6.32-6-pve #1 SMP Fri Nov 4 06:54:05 CET 2011 i686 GNU/Linux | ||
nginx -V: |
nginx version: nginx/1.0.12
built by gcc 4.4.5 (Debian 4.4.5-8) TLS SNI support enabled configure arguments: --without-http_fastcgi_module --without-http_geo_module --without-http_memcached_module --without-http_scgi_module --without-http_uwsgi_module --with-http_ssl_module --with-ipv6 --user=www-data --group=www-data --without-http_limit_zone_module --without-http_referer_module --without-http_split_clients_module --without-http_ssi_module |
Description
Http auth accepts any additional suffix to the correct password.
So if the password is "password" then "passwordfoobar" is accepted too.
Note:
See TracTickets
for help on using tickets.
The 8 chars is password length limit is in traditional DES crypt(3) scheme, nginx has nothing to do with it. You are free to use any crypt(3) scheme as supported by your OS, as well as Apache's md5 variant ($apr1$) and {SSHA} as supported in nginx 1.0.3+. Anything except traditional DES scheme shouldn't have this limit.