Fix empty password security hole, which affects wikis with both

password and OpenID login enabled.

Submitted by:	Joey Hess <joeyh at debian.org> (IkiWiki author)
Approved by:	erwin (mentor, implicit)
Security:	http://www.vuxml.org/freebsd/09066828-2ef1-11dd-a0d8-0016d325a0ed.html

2 files changed, 12 insertions, 0 deletions

diff --git a/www/ikiwiki/Makefile b/www/ikiwiki/Makefile
index 822bf1fb42ec..5715157fc9d7 100644
--- a/www/ikiwiki/Makefile
+++ b/www/ikiwiki/Makefile
@@ -6,6 +6,7 @@
 
 PORTNAME=	ikiwiki
 PORTVERSION=	2.47
+PORTREVISION=	1
 CATEGORIES=	www
 MASTER_SITES=	${MASTER_SITE_DEBIAN_POOL}
 DISTNAME=	${PORTNAME}_${PORTVERSION}
@@ -51,6 +52,7 @@ PLIST_SUB=	W3M="@comment "
 .endif
 
 post-patch:
+	@${RM} ${WRKSRC}/IkiWiki/Plugin/passwordauth.pm.orig
 	@${REINPLACE_CMD} -e "s|/usr/bin/markdown|${LOCALBASE}/bin/markdown|" \
 		${WRKSRC}/IkiWiki/Plugin/mdwn.pm
 	@${RM} ${WRKSRC}/IkiWiki/Plugin/mdwn.pm.bak
diff --git a/www/ikiwiki/files/patch-IkiWiki-Plugin-passwordauth.pm b/www/ikiwiki/files/patch-IkiWiki-Plugin-passwordauth.pm
new file mode 100644
index 000000000000..b582e2e94c3c
--- /dev/null
+++ b/www/ikiwiki/files/patch-IkiWiki-Plugin-passwordauth.pm
@@ -0,0 +1,10 @@
+--- IkiWiki/Plugin/passwordauth.pm.orig	2008-05-06 20:14:05.000000000 +0200
++++ IkiWiki/Plugin/passwordauth.pm	2008-05-31 10:50:03.000000000 +0200
+@@ -76,6 +76,7 @@ sub formbuilder_setup (@) { #{{{
+ 					name => "password",
+ 					validate => sub {
+ 						length $form->field("name") &&
++						length $_[0] &&
+ 						shift eq IkiWiki::userinfo_get($form->field("name"), 'password');
+ 					},
+ 				);