Copyright (C) 2006 OpenWrt.org --- a/networking/httpd.c +++ b/networking/httpd.c @@ -1716,21 +1716,32 @@ static int check_user_passwd(const char if (ENABLE_FEATURE_HTTPD_AUTH_MD5) { char *md5_passwd; + int user_len_p1; md5_passwd = strchr(cur->after_colon, ':'); - if (md5_passwd && md5_passwd[1] == '$' && md5_passwd[2] == '1' + user_len_p1 = md5_passwd + 1 - cur->after_colon; + if (md5_passwd && !strncmp(md5_passwd + 1, "$p$", 3)) { + struct passwd *pwd = NULL; + + pwd = getpwnam(&md5_passwd[4]); + if(!pwd->pw_passwd || !pwd->pw_passwd[0] || pwd->pw_passwd[0] == '!') + return 1; + + md5_passwd = pwd->pw_passwd; + goto check_md5_pw; + } else if (md5_passwd && md5_passwd[1] == '$' && md5_passwd[2] == '1' && md5_passwd[3] == '$' && md5_passwd[4] ) { char *encrypted; - int r, user_len_p1; + int r; md5_passwd++; - user_len_p1 = md5_passwd - cur->after_colon; /* comparing "user:" */ if (strncmp(cur->after_colon, user_and_passwd, user_len_p1) != 0) { continue; } +check_md5_pw: encrypted = pw_encrypt( user_and_passwd + user_len_p1 /* cleartext pwd from user */, md5_passwd /*salt */, 1 /* cleanup */);