Fix empty password security hole, which affects wikis with both

password and OpenID login enabled. Submitted by: Joey Hess <joeyh at debian.org> (IkiWiki author) Approved by: erwin (mentor, implicit) Security: http://www.vuxml.org/freebsd/09066828-2ef1-11dd-a0d8-0016d325a0ed.html
svn path=/head/; revision=214013
2025-01-03 06:04:53 +00:00 · 2008-05-31 10:13:13 +00:00 · 2008-05-31 10:13:13 +00:00 · d3f091d86b · 2021-03-31 03:12:20 +00:00
commit d3f091d86b
parent a8dc197c39
2 changed files with 12 additions and 0 deletions
--- a/www/ikiwiki/Makefile
+++ b/www/ikiwiki/Makefile
@ -6,6 +6,7 @@

 PORTNAME=	ikiwiki
 PORTVERSION=	2.47
+PORTREVISION=	1
 CATEGORIES=	www
 MASTER_SITES=	${MASTER_SITE_DEBIAN_POOL}
 DISTNAME=	${PORTNAME}_${PORTVERSION}
@ -51,6 +52,7 @@ PLIST_SUB=	W3M="@comment "
 .endif

 post-patch:
+	@${RM} ${WRKSRC}/IkiWiki/Plugin/passwordauth.pm.orig
 	@${REINPLACE_CMD} -e "s|/usr/bin/markdown|${LOCALBASE}/bin/markdown|" \
 		${WRKSRC}/IkiWiki/Plugin/mdwn.pm
 	@${RM} ${WRKSRC}/IkiWiki/Plugin/mdwn.pm.bak
--- a/www/ikiwiki/files/patch-IkiWiki-Plugin-passwordauth.pm
+++ b/www/ikiwiki/files/patch-IkiWiki-Plugin-passwordauth.pm
@ -0,0 +1,10 @@
+--- IkiWiki/Plugin/passwordauth.pm.orig	2008-05-06 20:14:05.000000000 +0200
+++ IkiWiki/Plugin/passwordauth.pm	2008-05-31 10:50:03.000000000 +0200
+@@ -76,6 +76,7 @@ sub formbuilder_setup (@) { #{{{
+ 					name => "password",
+ 					validate => sub {
+ 						length $form->field("name") &&
+						length $_[0] &&
+ 						shift eq IkiWiki::userinfo_get($form->field("name"), 'password');
+ 					},
+ 				);