1
0
mirror of https://github.com/git/git.git synced 2024-11-15 17:03:14 +01:00
git/t/lib-httpd
Patrick Steinhardt 5d70afa5d8 t/lib-httpd: stop using legacy crypt(3) for authentication
When setting up httpd for our tests, we also install a passwd and
proxy-passwd file that contain the test user's credentials. These
credentials currently use crypt(3) as the password encryption schema.

This schema can be considered deprecated nowadays as it is not safe
anymore. Quoting Apache httpd's documentation [1]:

> Unix only. Uses the traditional Unix crypt(3) function with a
> randomly-generated 32-bit salt (only 12 bits used) and the first 8
> characters of the password. Insecure.

This is starting to cause issues in modern Linux distributions. glibc
has deprecated its libcrypt library that used to provide crypt(3) in
favor of the libxcrypt library. This newer replacement provides a
compile time switch to disable insecure password encryption schemata,
which causes crypt(3) to always return `EINVAL`. The end result is that
httpd tests that exercise authentication will fail on distros that use
libxcrypt without these insecure encryption schematas.

Regenerate the passwd files to instead use the default password
encryption schema, which is md5. While it feels kind of funny that an
MD5-based encryption schema should be more secure than anything else, it
is the current default and supported by all platforms. Furthermore, it
really doesn't matter all that much given that these files are only used
for testing purposes anyway.

[1]: https://httpd.apache.org/docs/2.4/misc/password_encryptions.html

Signed-off-by: Patrick Steinhardt <ps@pks.im>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2023-11-11 09:00:42 +09:00
..
apache.conf test-lib: set UBSAN_OPTIONS to match ASan 2023-09-21 14:10:36 -07:00
apply-one-time-perl.sh t/lib-httpd: pass PERL_PATH to CGI scripts 2023-04-06 09:29:43 -07:00
broken-smart-http.sh
error-no-report.sh
error-smart-http.sh
error.sh
incomplete-body-upload-pack-v2-http.sh
incomplete-length-upload-pack-v2-http.sh
nph-custom-auth.sh t5563: add tests for basic and anoymous HTTP access 2023-02-27 10:40:40 -08:00
passwd t/lib-httpd: stop using legacy crypt(3) for authentication 2023-11-11 09:00:42 +09:00
proxy-passwd t/lib-httpd: stop using legacy crypt(3) for authentication 2023-11-11 09:00:42 +09:00
ssl.cnf t/lib-httpd: increase ssl key size to 2048 bits 2023-02-01 10:10:34 -08:00