Fix very rare but dangerous bug:

for some DES passwords crypt(real_password, salt) is equal to crypt("", salt); It means that this user (and not only he) can login without entering password at all, just pressing Return. So if empty password entered and crypted password is not empty, invalidate any crypt result by assigning ":"
1998-02-13 21:02:53 +00:00 · 1998-02-13 21:02:53 +00:00 · c8b701a4af
commit c8b701a4af
parent 8fef0774f8
1 changed files with 3 additions and 1 deletions
--- a/usr.bin/login/login.c
+++ b/usr.bin/login/login.c
@ -42,7 +42,7 @@ static char copyright[] =
 static char sccsid[] = "@(#)login.c	8.4 (Berkeley) 4/2/94";
 #endif
 static const char rcsid[] =
-	"$Id: login.c,v 1.30 1997/10/19 09:34:06 joerg Exp $";
+	"$Id: login.c,v 1.31 1998/02/05 18:37:02 guido Exp $";
 #endif /* not lint */

 /*
@ -454,6 +454,8 @@ main(argc, argv)
 		(void)signal(SIGQUIT, SIG_IGN);

 		if (pwd) {
+			if (!p[0] && pwd->pw_passwd[0])
+				ep = ":";
 #ifdef KERBEROS
 #ifdef SKEY
 			/*