Bugzilla – Bug 11003
Password for SqueezeCenter is not checked for length and extra characters at the end of the password.
Last modified: 2009-10-05 14:37:16 UTC
Password for SqueezeCenter is not checked for length and extra characters at the end of the password. If I have a SqueezeCenter password like this example: apple I can also use appleseed or appletalk or appleuyefuyabqwreytr . I can add "extra" letters at the end of the password and SC web-UI accepts it. I found out by mistake, adding a couple of extra characters to my existing pw
QA confirmed
Can't reproduce this. Password check is working as advertised here (XP, running from perl code and binary). Looking at the source I couldn't imagine how this could _not_ be working. What exact platform and operating system are you using? QA - could you please give me exact step-by-step instructions how you can reproduce this?
I tested on MAC 10.5 re-installing today's 7.3.3 build, I can not longer reproduce this error. Going back to 7.3.2 I can not repo the error again. Mikael: Can you please try the latest 7.3.3 build, then reply.
I'm still seing the bug with latest 7.4 . My server is a Clarkconect 4.2 : Version: 7.4 - 24959 @ Wed Feb 11 01:00:42 PST 2009 Hostname: hal.home.lan Server IP Address: 192.168.1.5 Server HTTP Port Number: 9000 Operating system: Red Hat - EN - utf8 Platform Architecture: i686-linux Perl Version: 5.8.8 - i686-linux-thread-multi MySQL Version: 4.1.20 Total Players Recognized: 3 I'm acessing the web ui via firefox 3 from my ubuntu desktop. And it is still possible to append whatever junk characters after my password
can you attach a screen shot of the security settings for me
Created attachment 4793 [details] Screenshot as required Screen shot of security settings ? Not much of interest to be seen
Thanks, wanted to verify that is how I was setting it as well. Using FF 3.0.6 with SC 7.4 r24959 on Ubuntu 8.04 Hardy Heron I am unable to reproduce this. I am using MySQL V 5.0.51a, do you think that may be a factor here?
Ok. My browser is also on a ubuntu 8.04 machine but the server is on another machine. A ClarkConnect 4.2 (redhat) server. I wont now a thing about MySQL. I can se that i have an older version on my server.
This seems to be a limitation in Perl's crypt() function we're using for the password. It only uses the first 11 bytes (though this doesn't explain the failure with "apple"). We should move to using sha1 instead.
apple is not my real password I wont hand it out here as this can be read by everyone. And i sometimes open ports and and uses stream.mp3 My real pass is 8 letters long (I know it will be longer next upgrade ;-) )
change 24990 - use sha1 instead of crypt to encrypt password
Hmm. when will this fix reach a nightly ? I have Version: 7.4 - 25163 @ Wed Feb 25 01:01:23 PST 2009 and it's still the same ?
Did you change your password once while testing? It's only migrated to the new encryption if you change it.
Ok that was it then :-) You have also cured another thing, the old implementation was behaving very strange when applying or changing password, you often had to force quit the browser, the pass dialogue poped up all the time etc.
This bug has been marked as fixed in the 7.4.0 release version of SqueezeBox Server! * SqueezeCenter: 28672 * Squeezebox 2 and 3: 130 * Transporter: 80 * Receiver: 65 * Boom: 50 * Controller: 7790 * Radio: 7790 Please see the Release Notes for all the details: http://wiki.slimdevices.com/index.php/Release_Notes If you haven't already, please download and install the new version from http://www.logitechsqueezebox.com/support/download-squeezebox-server.html If you are still experiencing this problem, feel free to reopen the bug with your new comments and we'll have another look.