You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Thom May <th...@planetarytramp.net> on 2002/05/30 23:31:18 UTC

[PATCH] Sanity checking for htpasswd.c

Hi,
just reposting this patch. 
Cheers,
-Thom
-- 
Thom May -> thom@planetarytramp.net

<Gman> hum, I wonder if the cargo bar is looking for staff?
<thom> gman: cargo bar sydney has an insane staff turn over rate :)
<jdub> yeah, for turning over in the morning and seeing what you've woken up with.
<hadess> jdub woke up with Gman in his bed :P


Index: htpasswd.c
===================================================================
RCS file: /home/cvspublic/httpd-2.0/support/htpasswd.c,v
retrieving revision 1.43
diff -u -u -r1.43 htpasswd.c
--- htpasswd.c	16 May 2002 19:57:11 -0000	1.43
+++ htpasswd.c	17 May 2002 07:43:49 -0000
@@ -77,6 +77,7 @@
  *  5: Failure; buffer would overflow (username, filename, or computed
  *     record too long)
  *  6: Failure; username contains illegal or reserved characters
+ *  7: Failure: file is not a valid htpasswd file
  */
 
 #include "apr.h"
@@ -133,6 +134,7 @@
 #define ERR_INTERRUPTED 4
 #define ERR_OVERFLOW 5
 #define ERR_BADUSER 6
+#define ERR_INVALID 7
 
 /*
  * This needs to be declared statically so the signal handler can
@@ -582,6 +584,39 @@
             perror("fopen");
             exit(ERR_FILEPERM);
         }
+        /*
+         * Now we need to confirm that this is a valid htpasswd file
+         */
+        if (! newfile){
+                
+            fpw = fopen(pwfilename, "r");
+            while (! (get_line(line, sizeof(line), fpw))) {
+                char *testcolon;
+
+                if ((line[0] == '#') || (line[0] == '\0')) {
+                    continue;
+                }
+                testcolon = strchr(line, ':');
+                if (testcolon != NULL){
+                    /*
+                     * We got a valid line. keep going
+                     */
+                    continue;
+                }
+                else {
+                    /*
+                     * no colon in the line, and it's not a comment
+                     * Time to bail out before we do damage.
+                     */
+                    fprintf(stderr, "%s: The file %s does not appear "
+                                    "to be a valid htpasswd file.\n",
+                            argv[0], pwfilename);
+                    fclose(fpw);
+                    exit(ERR_INVALID);
+                }
+            }
+            fclose(fpw);
+        }
     }
 
     /*
@@ -678,7 +713,7 @@
     /*
      * The temporary file now contains the information that should be
      * in the actual password file.  Close the open files, re-open them
-     * in the appropriate mode, and copy them file to the real one.
+     * in the appropriate mode, and copy the temp file to the real one.
      */
     fclose(ftemp);
     fpw = fopen(pwfilename, "w+");