PR#40950: backport security note to htpasswd/htdigest docs.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@487905 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/docs/manual/programs/htdigest.xml b/docs/manual/programs/htdigest.xml
index e6bdf4842231f3f38bb6686598beadfa66487a4a..fc9df711a6e82c3ccbcbbcbbbb931e0f674bb737 100644 (file)
--- a/docs/manual/programs/htdigest.xml
+++ b/docs/manual/programs/htdigest.xml
@@ -66,4 +66,9 @@
     </dl>
 </section>
 
+<section id="security"><title>Security Considerations</title>
+    <p>This program is not safe as a setuid executable. Do <em>not</em> make it
+    setuid.</p>
+</section>
+
 </manualpage>

diff --git a/docs/manual/programs/htpasswd.xml b/docs/manual/programs/htpasswd.xml
index 8b7a915d3a090d9417a0a7e1b5cd86b32a0a9c62..6e613d08730ebfab64f2e14ac348ad77e4765103 100644 (file)
--- a/docs/manual/programs/htpasswd.xml
+++ b/docs/manual/programs/htpasswd.xml
@@ -188,8 +188,20 @@ distribution.</seealso>
     <em>not</em> be within the Web server's URI space -- that is, they should
     not be fetchable with a browser.</p>
 
+    <p>This program is not safe as a setuid executable. Do <em>not</em> make it
+    setuid.</p>
+
     <p>The use of the <code>-b</code> option is discouraged, since when it is
     used the unencrypted password appears on the command line.</p>
+
+    <p>When using the <code>crypt()</code> algorithm, note that only the first
+    8 characters of the password are used  to form the password. If the supplied
+    password is longer, the extra characters will be silently discarded.</p>
+
+    <p>The SHA encryption format does not use salting: for a given password,
+    there is only one encrypted representation. The <code>crypt()</code> and
+    MD5 formats permute the representation by prepending a random salt string,
+    to make dictionary attacks against the passwords more difficult.</p>
 </section>
 
 <section id="restrictions"><title>Restrictions</title>