Bug 40256 - please don't use hpux getpass()
Summary: please don't use hpux getpass()
Alias: None
Product: APR
Classification: Unclassified
Component: APR (show other bugs)
Version: 1.2.7
Hardware: HP HP-UX
: P2 normal with 3 votes (vote)
Target Milestone: ---
Assignee: Apache Portable Runtime bugs mailinglist
Depends on:
Reported: 2006-08-15 17:47 UTC by deckrider
Modified: 2006-10-10 08:33 UTC (History)
0 users

don't use system getpass() if PASS_MAX is too small (410 bytes, patch)
2006-08-16 11:02 UTC, Joe Orton
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description deckrider 2006-08-15 17:47:18 UTC
On HP-UX B.11.23 ia64, apr 1.2.7 decides to use getpass().  This causes problems
when we use subversion, because our password system allows the password to be
longer than 8 characters.  Thus, users with passwords longer than 8 cannot use
the subversion password prompt.

I've removed the check for getpass() in the configure script, forcing apr to use
its internal implementation, and this seems to work for us.

Of course, you will probably want to allow a better way of handling this that
what  I've come up with.

This seems to be related to Bug 14701 which seems to be closed before Version
1.2.7 (but perhaps I'm not reading this right), which is why I opened this report.

Here is a quote from the hpux getpass() man:

      getpass() reads up to a newline or EOF from the file /dev/tty, after
      prompting on the standard error output with the null-terminated string
      prompt and disabling echoing.  A pointer is returned to a null-
      terminated string of at most 8 characters.
Comment 1 Joe Orton 2006-08-16 11:02:21 UTC
Created attachment 18719 [details]
don't use system getpass() if PASS_MAX is too small

It was fixed only really for Solaris which will use getpassphrase() instead; I
guess HP-UX doesn't have that.	Does this patch work?
Comment 2 deckrider 2006-08-17 21:32:28 UTC
The following returns nothing, so I'm mistified where PASS_MAX is set:

   cd httpd-2.2.3
   find . -type f | xargs grep PASS_MAX
Comment 3 Garrett Rooney 2006-08-17 21:39:43 UTC
Is PASS_MAX supposed to be defined by some system header?  Or does it just not
exist on hpux?
Comment 4 deckrider 2006-08-17 22:01:35 UTC
Thanks for the clue Garrett ... it is here on HP-UX B.11.23 ia64:

  /usr/include/limits.h:#  define PASS_MAX 8
Comment 5 deckrider 2006-08-17 22:37:40 UTC
I guess my only other concern is what is the 'correct' max length that ought to
be supported?

We came upon this issue because we authenticate against an ldap server for
subversion.  I'm guessing that a password to do this kind of bind/authentication
could easily be up to 128 characters (perhaps more), and if the password prompt
doesn't permit this, authentication fails.

A quick look at Solaris 10 shows a MAX_PASS of 256 [I suppose this is for
getpassphrase(), which is not available on HP-UX B.11.23 ia64].
Comment 6 Garrett Rooney 2006-08-17 22:43:38 UTC
I believe the default for our internal implementation is 256, for what it's worth.
Comment 7 Joe Orton 2006-10-10 08:33:24 UTC
Committed to trunk: http://svn.apache.org/viewvc?view=rev&rev=454774