You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by "William A. Rowe, Jr." <wr...@rowe-clan.net> on 2002/05/16 22:00:22 UTC
Re: [Patch] Add sanity checking to htpassd (Was Re: [Patch]
DeTabbify htpasswd.c)
+1 here, I'm only confused by why you needed the extra strcpy(tmp, line);
which doesn't seem to be necessary.
At 02:49 PM 5/16/2002, you wrote:
>Ok, so now a new sanity check, hopefully sans tabs.
>-Thom
>--
>Thom May -> thom@planetarytramp.net
>
>Buffy: We have a marching jazz band?
>Oz: Yeah, but, you know, since the best jazz is improvisational, we'd be
>going off in all directions, banging into floats... scary.
>
>
>--- htpasswd.c.orig Thu May 16 20:45:41 2002
>+++ htpasswd.c Thu May 16 20:44:51 2002
>@@ -77,6 +77,7 @@
> * 5: Failure; buffer would overflow (username, filename, or computed
> * record too long)
> * 6: Failure; username contains illegal or reserved characters
>+ * 7: Failure: file is not a valid htpasswd file
> */
>
> #include "apr.h"
>@@ -133,6 +134,7 @@
> #define ERR_INTERRUPTED 4
> #define ERR_OVERFLOW 5
> #define ERR_BADUSER 6
>+#define ERR_INVALID 7
>
> /*
> * This needs to be declared statically so the signal handler can
>@@ -582,6 +584,41 @@
> perror("fopen");
> exit(ERR_FILEPERM);
> }
>+ /*
>+ * Now we need to confirm that this is a valid htpasswd file
>+ */
>+ if (! newfile){
>+ char tmp[MAX_STRING_LEN];
>+
>+ fpw = fopen(pwfilename, "r");
>+ while (! (get_line(line, sizeof(line), fpw))) {
>+ char *testcolon;
>+
>+ if ((line[0] == '#') || (line[0] == '\0')) {
>+ continue;
>+ }
>+ strcpy(tmp, line);
>+ testcolon = strchr(tmp, ':');
>+ if (testcolon != NULL){
>+ /*
>+ * We got a valid line. keep going
>+ */
>+ continue;
>+ }
>+ else {
>+ /*
>+ * no colon in the line, and it's not a comment
>+ * Time to bail out before we do damage.
>+ */
>+ fprintf(stderr, "%s: The file %s does not
>appear "
>+ "to be a valid htpasswd file.\n",
>+ argv[0], pwfilename);
>+ fclose(fpw);
>+ exit(ERR_INVALID);
>+ }
>+ }
>+ fclose(fpw);
>+ }
> }
>
> /*
>@@ -678,7 +715,7 @@
> /*
> * The temporary file now contains the information that should be
> * in the actual password file. Close the open files, re-open them
>- * in the appropriate mode, and copy them file to the real one.
>+ * in the appropriate mode, and copy the temp file to the real one.
> */
> fclose(ftemp);
> fpw = fopen(pwfilename, "w+");
Re: [Patch] Add sanity checking to htpassd (Was Re: [Patch] DeTabbify htpasswd.c)
Posted by Thom May <th...@planetarytramp.net>.
* William A. Rowe, Jr. (wrowe@rowe-clan.net) wrote :
> +1 here, I'm only confused by why you needed the extra strcpy(tmp, line);
> which doesn't seem to be necessary.
>
Gone now. I think that was a relic from when I was trying to do this a
different way. Oh, and the spaces are now sorted, thanks to the cluesticking
I got from Justin and Cliff last night on IRC.
Cheers,
-Thom
Index: htpasswd.c
===================================================================
RCS file: /home/cvspublic/httpd-2.0/support/htpasswd.c,v
retrieving revision 1.43
diff -u -u -r1.43 htpasswd.c
--- htpasswd.c 16 May 2002 19:57:11 -0000 1.43
+++ htpasswd.c 17 May 2002 07:43:49 -0000
@@ -77,6 +77,7 @@
* 5: Failure; buffer would overflow (username, filename, or computed
* record too long)
* 6: Failure; username contains illegal or reserved characters
+ * 7: Failure: file is not a valid htpasswd file
*/
#include "apr.h"
@@ -133,6 +134,7 @@
#define ERR_INTERRUPTED 4
#define ERR_OVERFLOW 5
#define ERR_BADUSER 6
+#define ERR_INVALID 7
/*
* This needs to be declared statically so the signal handler can
@@ -582,6 +584,39 @@
perror("fopen");
exit(ERR_FILEPERM);
}
+ /*
+ * Now we need to confirm that this is a valid htpasswd file
+ */
+ if (! newfile){
+
+ fpw = fopen(pwfilename, "r");
+ while (! (get_line(line, sizeof(line), fpw))) {
+ char *testcolon;
+
+ if ((line[0] == '#') || (line[0] == '\0')) {
+ continue;
+ }
+ testcolon = strchr(line, ':');
+ if (testcolon != NULL){
+ /*
+ * We got a valid line. keep going
+ */
+ continue;
+ }
+ else {
+ /*
+ * no colon in the line, and it's not a comment
+ * Time to bail out before we do damage.
+ */
+ fprintf(stderr, "%s: The file %s does not appear "
+ "to be a valid htpasswd file.\n",
+ argv[0], pwfilename);
+ fclose(fpw);
+ exit(ERR_INVALID);
+ }
+ }
+ fclose(fpw);
+ }
}
/*
@@ -678,7 +713,7 @@
/*
* The temporary file now contains the information that should be
* in the actual password file. Close the open files, re-open them
- * in the appropriate mode, and copy them file to the real one.
+ * in the appropriate mode, and copy the temp file to the real one.
*/
fclose(ftemp);
fpw = fopen(pwfilename, "w+");