Bug 13830 - hash forbidden for proxy password in drakrpm-editmedia
Summary: hash forbidden for proxy password in drakrpm-editmedia
Status: RESOLVED OLD
Alias: None
Product: Mageia
Classification: Unclassified
Component: RPM Packages (show other bugs)
Version: 4
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: Thierry Vignaud
QA Contact:
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-07-31 17:59 CEST by Cédric Levasseur
Modified: 2015-10-27 06:56 CET (History)
0 users

See Also:
Source RPM:
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Cédric Levasseur 2014-07-31 17:59:35 CEST 
When i try to add http_proxy with an user & password for drakrpm-editmedia, 
if the password contains a dash (#), it is stored only partially.

This result in a never-updating-distro. For example, i'm connecting mageia to internet with a entreprise proxy, authentifying in sync with a active directory which force complicated password with special-char like #.

Morever, the password is stored in CLEAR (seriously ?) in /etc/urpmi/proxy.cfg

STEP TO REPRODUCE : Clic on "Mageai Menu> Tools > System Tools> Configure Your computer > Software management > Configure Sources...  "
Open the "Options Menu" > "Proxy"
tip the checkbox, Enter a proxy, a username, a password with a dash #, and press OK. Press OK to close the windows.
Using root into a Konsole, cat /etc/urpmi/proxy.cfg

TO SOLVE THIS, i think the better way is to crypt the password !
Cédric Levasseur 2014-07-31 18:00:51 CEST

Hardware: i586 => All

Comment 1 David Walser 2014-07-31 22:10:57 CEST 
It can't crypt the password, because that's just a hashing algorithm (and a bad one at that), as it needs the actual password to authenticate with the proxy.  It could encrypt it, but then it would need a passphrase or a key or something to decrypt it.  That is probably overkill.  Making the file it stores it in have 600 permissions should be sufficient.

Also, # is a hash, not a dash.  That's a legitimate bug.

Assignee: bugsquad => thierry.vignaud
Summary: dash forbidden for proxy password in drakrpm-editmedia => hash forbidden for proxy password in drakrpm-editmedia

Comment 2 Thierry Vignaud 2015-06-03 11:45:13 CEST 
Also, /etc/urpmi/proxy.cfg permissions are restricted.
Comment 3 Samuel Verschelde 2015-09-21 13:19:00 CEST 
Mageia 4 changed to end-of-life (EOL) status on 2015-09-19. It is is no longer 
maintained, which means that it will not receive any further security or bug 
fix updates.

Package Maintainer: If you wish for this bug to remain open because you plan to 
fix it in a currently maintained version, simply change the 'version' to a later 
Mageia version.

Bug Reporter: Thank you for reporting this issue and we are sorry that we weren't 
able to fix it before Mageia 4's end of life. If you are able to reproduce it 
against a later version of Mageia, you are encouraged to click on "Version" and 
change it against that version of Mageia. If it's valid in several versions, 
select the highest and add MGAxTOO in whiteboard for each other valid release.
Example: it's valid in cauldron and Mageia 5, set to cauldron and add MGA5TOO.

Although we aim to fix as many bugs as possible during every release's lifetime, 
sometimes those efforts are overtaken by events. Often a more recent Mageia 
release includes newer upstream software that fixes bugs or makes them obsolete.

If you would like to help fixing bugs in the future, don't hesitate to join the
packager team via our mentoring program [1] or join the teams that fit you 
most [2].

[1] https://wiki.mageia.org/en/Becoming_a_Mageia_Packager
[2] http://www.mageia.org/contribute/
Comment 4 Marja Van Waes 2015-10-27 06:56:27 CET 
As announced over a month ago, Mageia 4 changed to end-of-life (EOL) status on 2015-09-19. It is is no longer maintained, which means that it will not receive any further security or bug fix updates.

This issue may have been fixed in a later Mageia release, so, if you still see it and didn't already do so: please upgrade to Mageia 5 (or, if you read this much later than this is written: make sure you run a currently maintained Mageia version)

If you are able to reproduce it against a maintained version of Mageia, you are encouraged to 
1. reopen this bug report, by changing the "Status" from "RESOLVED - OLD" to "REOPENED"
2. click on "Version" and change it against that version of Mageia. If you know it's valid in several versions, select the highest and add MGAxTOO in whiteboard for each other valid release.
Example: it's valid in cauldron and Mageia 5, set to cauldron and add MGA5TOO.
3. give as much relevant information as possible. If you're not an experienced bug reporter and have some time: please read this page:
https://wiki.mageia.org/en/How_to_report_a_bug_properly

If you see a similar issue, but are _not_sure_ it is the same, with the same cause, then please file a new bug report and mention this one in it (please include the bug number, too). 


If you would like to help fixing bugs in the future, don't hesitate to join the
packager team via our mentoring program [1] or join the teams that fit you 
most [2].
[1] https://wiki.mageia.org/en/Becoming_a_Mageia_Packager
[2] http://www.mageia.org/contribute/

Status: NEW => RESOLVED
Resolution: (none) => OLD
Note You need to log in before you can comment on or make changes to this bug.