Apache-Htpasswd reviews

RSS | Module Info

Apache-Htpasswd (1.8) *****

Let's me update and use .htaccess files. Trez useful. Does what it says on the tin.

Apache-Htpasswd (1.7) ***

This module works: it is easy to use it to manipulate a .htpasswd file, adding and deleting entries and changing passwords.

But I am concerned by the author's attitudes to security and to his users. It is good that there is a feature for unconditionally changing a password, and also good that there is one for only changing the password if the previous password is provided. But it was a daft design that conflated these things such that trying to do the latter would always succeed if the user supplied the 'password' "1" -- especially since these 2 features are documented as separate items in the list of functions, so it isn't immediately obvious that they are actually the same function but invoked slightly differently.

In fact the password changing would always succeed if any single digit was given as the previous password. Somebody (not me) usefully added this information on AnnoCpan, and highlighted that programmers should check for this case to avoid a security risk. The module author responded with the ludicrous claim "If the above issue is exploitable, it's because of bad CGI programming, not the module."

He added: "Also, that interface will be changed Real Soon Now anyways" (which seems a touch defensive, and rather undermines his case that the module's interface wasn't a problem). He did indeed fix this problem within a few hours (version 1.70), which is excellent.

Doing so involved making a backwards incompatible interface change. That is inevitable (to distinguish between the 2 conflated features), and I'm glad the change was made, but it's still unfortunate: the security hole is fixed for the 'checking' feature, but all code wanting the 'unconditional' feature (and which could've been working since 1998) is suddenly broken when using the latest version of this module.

The distribution does not follow the convention of listing changes in a separate file, but instead puts them at the end of the main pod. The entry for 1.70 is "Handle SHA1 and plaintext. Also change the interface for allowing change of password without first checking old password. IF YOU DON'T READ THE DOCS AND SEE I DID THIS DON'T EMAIL ME!"

Note the lack of reason for the change, the lack of note warning that using previous versions has a security risk, the lack of apology for the change (or for the vulnerability, for that matter) -- and the implication that the module author is free to change any interface at any time and that if this breaks things its the module users' fault; without the context for this change it looks like it was just made on the author's whim.

We're continuing using this module (it does work!), but making sure we watch it more closely than we do with most Cpan modules.