[PATCH] htpasswd

[Kris Verbeeck <Kr...@ubizen.com>]

Solves the following issue from the STATUS file:

    * htpasswd blindly processes the file you give it, and does no
      sanity checking before totally corrupting whatever file it was
      you thought you had. It should check the input file and bail
      if it finds non-comment lines that do not contain exactly 1
      ':' character.
        Message-ID: <20...@clove.org>

htpasswd will return error code 7 if the file contains invalid entries.
The patch contains a diff for htpasswd.c, htpasswd.1 (the man page) and
htpasswd.html (the HTML manual).  I think that's it.

-- 
ir. Kris Verbeeck
Development Engineer

Ubizen - Ubicenter - Philipssite 5 - 3001 Leuven - Belgium
T:  +32 16 28 70 64
F:  +32 16 28 70 77

Ubizen - We Secure e-business - www.ubizen.com

Re: [PATCH] htpasswd

[André Malo <nd...@perlig.de>]

* Kris Verbeeck wrote:

> André Malo wrote:

[blah]

> The current patch only bails out if there is no colon, so two colons
> should not be a problem.

oops, yes. I looked more at the status text rather than over the patch.
Sorry ;-)

nd
-- 
sub the($){+shift} sub answer (){ord q
        [* It is always 42! *]       }
           print the answer
# André Malo # http://www.perlig.de/ #

Re: [PATCH] htpasswd

[Kris Verbeeck <Kr...@ubizen.com>]

André Malo wrote:
> 
> * Kris Verbeeck wrote:
> 
> >     * htpasswd blindly processes the file you give it, and does no
> >       sanity checking before totally corrupting whatever file it was
> >       you thought you had. It should check the input file and bail
> >       if it finds non-comment lines that do not contain exactly 1
> >       ':' character.
> >         Message-ID: <20...@clove.org>
> 
> Sorry, if I'm too late, but this is a bad criterion, since the parser of
> mod_auth/mod_authn_file uses the second colon as a delimiter and many
> people put comments after it.
> 
> The second colon is also /neccessary/ if you want plain text passwords
> (e.g. under win32) that end with spaces...
> [Yes, I've seen this already]

The current patch only bails out if there is no colon, so two colons
should not be a problem.

-- 
ir. Kris Verbeeck
Development Engineer

Ubizen - Ubicenter - Philipssite 5 - 3001 Leuven - Belgium
T:  +32 16 28 70 64
F:  +32 16 28 70 77

Ubizen - We Secure e-business - www.ubizen.com

Re: [PATCH] htpasswd

[André Malo <nd...@perlig.de>]

* Kris Verbeeck wrote:

>     * htpasswd blindly processes the file you give it, and does no
>       sanity checking before totally corrupting whatever file it was
>       you thought you had. It should check the input file and bail
>       if it finds non-comment lines that do not contain exactly 1
>       ':' character.
>         Message-ID: <20...@clove.org>

Sorry, if I'm too late, but this is a bad criterion, since the parser of 
mod_auth/mod_authn_file uses the second colon as a delimiter and many 
people put comments after it.

The second colon is also /neccessary/ if you want plain text passwords 
(e.g. under win32) that end with spaces...
[Yes, I've seen this already]

nd
-- 
Treat your password like your toothbrush. Don't let anybody else
use it, and get a new one every six months.  -- Clifford Stoll

                                    (found in ssl_engine_pphrase.c)