crypt.crypt() changed in Xenial causing incorrectly generated .htpasswd entries

Bug #1722209 reported by Haw Loeung on 2017-10-09
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Launchpad itself
Critical
Colin Watson

Bug Description

Hi,

Private PPAs are locked down using htaccess/htpassword. The server hosting Private PPAs, haetae, was recently upgraded to Xenial.

Unfortunately, it seems that crypt.crypt() has changed and if the salt used contains dashes ('-'), it would return None where previously it would be allowed. The salt LP uses is usually the first two characters of the username.

| >>> crypt.crypt('foobar', 'j-')
| >>>

Thanks to cjwatson for discovering and confirming this.

Related branches

Colin Watson (cjwatson) wrote :
tags: added: lp-soyuz ppa regression soyuz-publish
Changed in launchpad:
status: New → Triaged
importance: Undecided → Critical
Haw Loeung (hloeung) on 2017-10-09
description: updated
Colin Watson (cjwatson) on 2017-10-09
Changed in launchpad:
assignee: nobody → Colin Watson (cjwatson)
status: Triaged → In Progress
Launchpad QA Bot (lpqabot) wrote :
tags: added: qa-needstesting
Changed in launchpad:
status: In Progress → Fix Committed
Colin Watson (cjwatson) on 2017-10-16
tags: added: qa-ok
removed: qa-needstesting
Colin Watson (cjwatson) wrote :

Fixed on production, though there'll have to be some change to the authentication tokens associated with the small number of affected PPAs (creating/revoking a token would do it) in order to force Launchpad to regenerate the incorrect .htpasswd files.

Changed in launchpad:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers