[Webkit-unassigned] [Bug 170055] htdigestparser fails out early when malformed entries are found

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Mar 24 10:11:41 PDT 2017


--- Comment #10 from Carlos Alberto Lopez Perez <clopez at igalia.com> ---
(In reply to Carlos Alberto Lopez Perez from comment #8)

> I think is worse from a security point of view to go ahead and try to
> authenticate against a hash that is clearly not a md5 one (>32 chars or non
> alphanumeric) when you know it should be a md5, than to filter that entry
> and ignore it.

Forget that.
Current behaviour is to disable auth (no one can use the system) if only one entry is wrong. Which is what is happening.

Can't argue about the security of that: its very secure.
But also is very unusable or un-practical: It causes the system to not work.

No idea what caused those wrong entries on the digest file, but the only options I see here are:

 * Be forgiving with those entries
 * Clean the digest file

You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20170324/ccead23b/attachment.html>

More information about the webkit-unassigned mailing list