arbitrarily limits username/password to 32 characters #2856

michaelrsweet opened this Issue Jun 10, 2008 · 7 comments

1 participant


Version: 1.6-feature User: martin.pitt.canonical reported that cups limits usernames and passwords to 32 characters. Passwords can realistically be longer than that, though.

I checked the code, this is defined in cupsd_authdata_t (./scheduler/auth.c, private) and cupsd_client_{s,t} (./scheduler/client.h, private). The only place where the 32 is publicly exposed in the library API is cups/http.h:

extern char *httpMD5(const char *, const char *, const char *, char [33]);
extern char *httpMD5Final(const char *, const char *, const char *, char [33]);
extern char *httpMD5String(const unsigned char *, char [33]);

However, changing this to char[256] or even just char* won't change the ABI, since all of them are passed identically in C. It might change the API (depending on how picky the compiler is wrt. array length comparisons), but that shouldn't hurt too much?

Would you consider raising the maximum length, to e. g. 256?

@michaelrsweet User: mike

This is a dupe of STR #115.

Usernames are currently limited to 255 characters.

Passwords are currently limited to 32 characters. Realistically, we are limited by getpass(), which on most platforms only supports 8 to 32 characters. Current versions of glibc support BUFSIZ (8192) characters, and current Mac OS X supports 128 characters.

In any case, we will reconsider this for a future CUPS release (probably not 1.4), since changes will require a full code audit to make sure we do not have any issues with the longer password buffer. The MD5 code doesn't have to change since the "33" is enough to hold 16 bytes of hex-encoded checksum data, however the http_t structure might since we cache the username and password in a 256 byte buffer.

@michaelrsweet User: martin.pitt.canonical

Usernames are currently limited to 255 characters.

Hmm, scheduler/auth.c seems to limit them to 32:

typedef struct cupsd_authdata_s /**** Authentication data ***/
char username[33], /
Username string /
password[33]; /
Password string */
} cupsd_authdata_t;

(cupsd_cert_s and cupsd_quota_t, too). I checked both 1.3.7 and trunk svn head.

@michaelrsweet User: cyberpatrol

It's quite important to get this fixed, because CUPS is one of only two software packages I know, which can't handle long Linux passwords, and it's impossible for me to administrate CUPS.

Using Digest, as mike has suggested in STR #2906, doesn't work either.

I've changed DefaultAuthType to Digest and ran lppasswd -a , but authentication on the web interface still fails.

And Kerberos isn't an option for me, because I'm currently just using a single computer, on which I dont't want to run too many daemons, which eat system ressources.

@michaelrsweet User: mike

cyberpatrol: This will not be fixed before CUPS 1.5 since it only affects a very small number of users (based on our bug reports, 3 people out of tens of millions...) that have passwords longer than 32 bytes.

As for Digest not working, please follow up on that issue on the cups.general forum if you are interested in getting it to work.

@michaelrsweet User: mike

We now have a replacement for getpass, so we just need to address the PAM data structure in cupsd to fix this...

@michaelrsweet User: mike

Fixed in Subversion repository.



Index: scheduler/auth.c

--- scheduler/auth.c (revision 10288)
+++ scheduler/auth.c (working copy)
@@ -3,7 +3,7 @@

  • Authorization routines for the CUPS scheduler. *
    • * Copyright 2007-2011 by Apple Inc.
    • * Copyright 2007-2012 by Apple Inc.
  • Copyright 1997-2007 by Easy Software Products, all rights reserved. *
  • This file contains Kerberos support code, copyright 2006 by @@ -130,8 +130,8 @@ #if HAVE_LIBPAM typedef struct cupsd_authdata_s /**** Authentication data ****/ {
    • char username[33], /* Username string */
    • password[33]; /* Password string */
    • char username[HTTP_MAX_VALUE], /* Username string */
    • password[HTTP_MAX_VALUE]; /* Password string / } cupsd_authdata_t; #endif / HAVE_LIBPAM */

@@ -322,8 +322,10 @@
int type; /* Authentication type /
const char *authorization; /
Pointer into Authorization string /
char *ptr, /
Pointer into string */

  • username[256], /* Username string */
  • password[33]; /* Password string */
  • username[HTTP_MAX_VALUE],
  • /* Username string */
  • password[HTTP_MAX_VALUE];
  • /* Password string / cupsd_cert_t *localuser; / Certificate username / char nonce[HTTP_MAX_VALUE], / Nonce value from client / md5[33], / MD5 password / Index: scheduler/client.h =================================================================== --- scheduler/client.h (revision 10288) +++ scheduler/client.h (working copy) @@ -32,8 +32,10 @@ http_state_t operation; / Request operation / off_t bytes; / Bytes transferred for this request / int type; / AuthType for username */
  • char username[256], /* Username from Authorization: line */
  • password[33], /* Password from Authorization: line */
  • char username[HTTP_MAX_VALUE],
  • /* Username from Authorization: line */
  • password[HTTP_MAX_VALUE],
  • /* Password from Authorization: line / uri[HTTP_MAX_URI], / Localized URL/URI for GET/PUT / *filename, / Filename of output file */
@michaelrsweet michaelrsweet added this to the Stable milestone Mar 17, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment