Beefy Boxes and Bandwidth Generously Provided by pair Networks
Keep It Simple, Stupid
 
PerlMonks  

Weird crypt Behavior

by Dr. Mu (Hermit)
on Sep 17, 2002 at 19:52 UTC ( #198611=perlquestion: print w/ replies, xml ) Need Help??
Dr. Mu has asked for the wisdom of the Perl Monks concerning the following question:

A cgi script on my local mirror, which has worked flawlessly in the past (and continues to work on a remote host), is suddenly failing to verify passwords. I've traced it to a problem with crypt, viz:
perl -e "print crypt('abcdef', 'uvwxyz')" uv...........
In every instance, I get the same result: the first two characters of the salt, followed by a string of periods. I've tried this with both 5.6.0 (as provided by Redhat for their Linux 7.0), as well as ActivePerl 5.6.1 on the same Linux box. Both give the same results. I've also updated glibc, thinking that libcrypt.so might have been broken, but to no avail.

I must be overlooking something simple, but it's got me flummoxed. Has anyone else experienced this behavior?

Thanks!

Comment on Weird crypt Behavior
Download Code
Re: Weird crypt Behavior
by fglock (Vicar) on Sep 17, 2002 at 19:59 UTC

    perldoc -f crypt says:

    Encrypts a string exactly like the crypt(3) func- tion in the C library (assuming that you actually have a version there that has not been extirpated as a potential munition).

    Wasn't yours been extirpated?

    Maybe  perl -V can tell you. Look for the  -lcrypt string.

Re: Weird crypt Behavior
by sauoq (Abbot) on Sep 17, 2002 at 20:11 UTC

    That should be fine. It produces "uv1o844x44bz." using 5.6.1 on Solaris 8.

    First, I'd try with a two character salt (though, that shouldn't make a difference.)

    Secondly, I'd try a minimal C program to be sure it works as expected:

    int main () { char *salt = "uv"; char *pass = "abcdef"; printf("%s\n", crypt(pass, salt)); }

    You say that it "has worked flawlessly in the past (and continues to work on a remote host)" so I have to ask: has anything changed recently on the box it is failing on?

    -sauoq
    "My two cents aren't worth a dime.";
    
      What's changed? The addition of and defaulting to ActiveState Perl. My assertion that the problem also occurred under {the Redhat-supplied} 5.6.0 was mistaken, due to some $PATH mangling and the wrong symbolic link being referenced. It's the ActivePerl {5.6.1, build 633} that's the problem. This behavior is quite disturbing, too. If their crypt function were used by the unwary to create a password file (which I nearly did), any password subsequently entered during authentication would match -- a clear security breach! And the programmer wouldn't have a clue that anything was amiss without looking at the encrypted password file.

      Before posting this, I called ActiveState to give them a chance to comment. I was informed that this was a known bug, discovered only in the past couple days.

      Update (18 Sep 02): Added braced text for clarification. I haven't used ActiveState's 5.6.0 or other builds of 5.6.1, so I don't know if they had the same problem.

        Thanks. In fact, it was discovered internally only yesterday and fixed.

        The problem is that ActivePerl uses the crypt_r() function which needs a buffer to work with, and that argument requires one of its fields to be nulled. ActivePerl allocates this buffer on the stack, so the said field may be non-null.

        The following patch has been checked in:

        --- ./pp.c.~1~ Tue Sep 17 14:17:07 2002 +++ ./pp.c Tue Sep 17 14:17:07 2002 @@ -2347,6 +2347,7 @@ # if defined(__linux__) # include <crypt.h> struct crypt_data c_data; + c_data.initialized = 0; # define crypt(k,s) crypt_r(k,s,&c_data) # endif #endif End of Patch.

        There should be a new release out for Linux ASAP.

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: perlquestion [id://198611]
Approved by broquaint
Front-paged by derby
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others imbibing at the Monastery: (8)
As of 2014-08-01 06:59 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    My favorite superfluous repetitious redundant duplicative phrase is:









    Results (257 votes), past polls