Item1780: Under Windows using sha1 passwords new registrations create non working password

Some change to the way sha1 passwords are encoded was added in one of the CSRF feature checkins and it seems this code has not been tested enough.

The consequence is that under 1.0.6 new users in a Windows native installation will not be able to login in. They will get password mismatch.

The problem is that the code was simplified but then simpler code requires that you manually suffix the encrypted string by a '='. The documentation actually says that.

This is a critical error that means I have to release a 1.0.7 within a few days.

FIX

You can easily edit a file by hand. It is one code line that needs to change.

Below is the patch

--- branches/Release01x00/core/lib/Foswiki/Users/HtPasswdUser.pm   2009-06-30 21:47:43 UTC (rev 4331)
+++ branches/Release01x00/core/lib/Foswiki/Users/HtPasswdUser.pm   2009-06-30 22:47:26 UTC (rev 4332)
@@ -167,7 +167,7 @@
 
     if ( $Foswiki::cfg{Htpasswd}{Encoding} eq 'sha1' ) {
         my $encodedPassword =
-          '{SHA}' . Digest::SHA::sha1_base64($passwd);
+          '{SHA}' . Digest::SHA::sha1_base64($passwd) . '=';
 
         # don't use chomp, it relies on $/
         $encodedPassword =~ s/\s+$//;

So all you need to do is go to lib/Foswiki/Users/HtPasswdUser.pm

Find the line

'{SHA}' . Digest::SHA::sha1_base64($passwd);

and change it to

'{SHA}' . Digest::SHA::sha1_base64($passwd) . '=';

Already registered users with the problem are easy to fix.

Look in the data/.htpasswd file for any entries where there the characters before the email address are not =: and add the missing =

-- KennethLavrsen - 30 Jun 2009