You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Thom May <th...@planetarytramp.net> on 2002/05/30 23:31:18 UTC
[PATCH] Sanity checking for htpasswd.c
Hi,
just reposting this patch.
Cheers,
-Thom
--
Thom May -> thom@planetarytramp.net
<Gman> hum, I wonder if the cargo bar is looking for staff?
<thom> gman: cargo bar sydney has an insane staff turn over rate :)
<jdub> yeah, for turning over in the morning and seeing what you've woken up with.
<hadess> jdub woke up with Gman in his bed :P
Index: htpasswd.c
===================================================================
RCS file: /home/cvspublic/httpd-2.0/support/htpasswd.c,v
retrieving revision 1.43
diff -u -u -r1.43 htpasswd.c
--- htpasswd.c 16 May 2002 19:57:11 -0000 1.43
+++ htpasswd.c 17 May 2002 07:43:49 -0000
@@ -77,6 +77,7 @@
* 5: Failure; buffer would overflow (username, filename, or computed
* record too long)
* 6: Failure; username contains illegal or reserved characters
+ * 7: Failure: file is not a valid htpasswd file
*/
#include "apr.h"
@@ -133,6 +134,7 @@
#define ERR_INTERRUPTED 4
#define ERR_OVERFLOW 5
#define ERR_BADUSER 6
+#define ERR_INVALID 7
/*
* This needs to be declared statically so the signal handler can
@@ -582,6 +584,39 @@
perror("fopen");
exit(ERR_FILEPERM);
}
+ /*
+ * Now we need to confirm that this is a valid htpasswd file
+ */
+ if (! newfile){
+
+ fpw = fopen(pwfilename, "r");
+ while (! (get_line(line, sizeof(line), fpw))) {
+ char *testcolon;
+
+ if ((line[0] == '#') || (line[0] == '\0')) {
+ continue;
+ }
+ testcolon = strchr(line, ':');
+ if (testcolon != NULL){
+ /*
+ * We got a valid line. keep going
+ */
+ continue;
+ }
+ else {
+ /*
+ * no colon in the line, and it's not a comment
+ * Time to bail out before we do damage.
+ */
+ fprintf(stderr, "%s: The file %s does not appear "
+ "to be a valid htpasswd file.\n",
+ argv[0], pwfilename);
+ fclose(fpw);
+ exit(ERR_INVALID);
+ }
+ }
+ fclose(fpw);
+ }
}
/*
@@ -678,7 +713,7 @@
/*
* The temporary file now contains the information that should be
* in the actual password file. Close the open files, re-open them
- * in the appropriate mode, and copy them file to the real one.
+ * in the appropriate mode, and copy the temp file to the real one.
*/
fclose(ftemp);
fpw = fopen(pwfilename, "w+");