[Freeciv-Dev] [bug #18261] Does setting a new password with --Newusers actually work?

Tue, 21 Jun 2011 14:59:44 -0700 

URL:
  <http://gna.org/bugs/?18261>

                 Summary: Does setting a new password with --Newusers
actually work?
                 Project: Freeciv
            Submitted by: jtn
            Submitted on: Tue Jun 21 22:59:27 2011
                Category: general
                Severity: 3 - Normal
                Priority: 5 - Normal
                  Status: None
             Assigned to: None
        Originator Email: 
             Open/Closed: Open
                 Release: 
         Discussion Lock: Any
        Operating System: None
         Planned Release: 

    _______________________________________________________

Details:

In servers with authentication, the --Newusers option is supposed to allow
new users to register and set a password.

In S2_3 and trunk, the password appears to go over the network in plaintext
and is stored in the auth database as an MD5 sum.

However, while I can find code which MD5s an incoming password before
comparing to the stored database field for an existing user (in
auth_check_password()), I can't find the corresponding MD5 of the incoming new
password before putting it into the database.

In S2_3 we have in auth_db_save():


  /* insert new user into table. we insert the following things: name
   * md5sum of the password, the creation time in seconds, the accesstime
   * also in seconds from 1970, the users address (twice) and the logincount
*/
  str_result = fc_snprintf(buffer, bufsize,
                           "insert into %s values "
                           "(NULL, '%s', md5('%s'), NULL, "
                           "unix_timestamp(), unix_timestamp(),"
                           "'%s', '%s', 0)",
                           auth_config.table.value, name_buffer, pw_buffer,
                           pconn->server.ipaddr, pconn->server.ipaddr);


So the comment thinks pw_buffer is hashed. But there's no code nearby to MD5
pw_buffer. In handle_authentication_reply(), it was copied into
pconn->server.password; I think it should have been MD5'd at this point (I
think pconn->server.password should always be the hashed version).

If I'm right, I think that the effect is that the new user can get in the
first time, but every time they try to reconnect after that, the MD5 hash of
the password they supply is compared to the un-MD5'd version in the database,
and they are always rejected.

I haven't yet tested this, as I don't have a database set up yet. Are there
any running servers out there that run in this configuration? (Obviously
servers which pre-register users by other means can avoid this.)

Have I missed something?




    _______________________________________________________

Reply to this item at:

  <http://gna.org/bugs/?18261>

_______________________________________________
  Message sent via/by Gna!
  http://gna.org/


_______________________________________________
Freeciv-dev mailing list
[email protected]
https://mail.gna.org/listinfo/freeciv-dev

Reply via email to