Bug #2072: digest_pw_auth fails when using plaintext passwords

digest_pw_auth may crash or otherwise fail when using plaintext passwords.

Workaround (and more secure): Store Digest H(A1) hashed passwords instead.

diff --git a/helpers/digest_auth/password/text_backend.c b/helpers/digest_auth/password/text_backend.c
index 09577c09aef90b2bc30d41fc72c822a48f582bf2..78a94a885e6d9d6233e20a46e493202d46e276ce 100644 (file)
--- a/helpers/digest_auth/password/text_backend.c
+++ b/helpers/digest_auth/password/text_backend.c
@@ -99,7 +99,7 @@ read_passwd_file(const char *passwdfile, int ha1mode)
                fprintf(stderr, "digest_pw_auth: ignoring invalid password for %s\n", user);
                continue;
            }
-           u = xmalloc(sizeof(*u));
+           u = xcalloc(1, sizeof(*u));
            if (realm) {
                int len = strlen(user) + strlen(realm) + 2;
                u->hash.key = malloc(len);