httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Thom May <t...@planetarytramp.net>
Subject [Patch] Add sanity checking to htpassd (Was Re: [Patch] DeTabbify htpasswd.c)
Date Thu, 16 May 2002 19:49:22 GMT
Ok, so now a new sanity check, hopefully sans tabs.
-Thom
-- 
Thom May -> thom@planetarytramp.net

Buffy: We have a marching jazz band? 
Oz: Yeah, but, you know, since the best jazz is improvisational, we'd be
going off in all directions, banging into floats... scary.


--- htpasswd.c.orig	Thu May 16 20:45:41 2002
+++ htpasswd.c	Thu May 16 20:44:51 2002
@@ -77,6 +77,7 @@
  *  5: Failure; buffer would overflow (username, filename, or computed
  *     record too long)
  *  6: Failure; username contains illegal or reserved characters
+ *  7: Failure: file is not a valid htpasswd file
  */
 
 #include "apr.h"
@@ -133,6 +134,7 @@
 #define ERR_INTERRUPTED 4
 #define ERR_OVERFLOW 5
 #define ERR_BADUSER 6
+#define ERR_INVALID 7
 
 /*
  * This needs to be declared statically so the signal handler can
@@ -582,6 +584,41 @@
             perror("fopen");
             exit(ERR_FILEPERM);
         }
+        /*
+         * Now we need to confirm that this is a valid htpasswd file
+         */
+        if (! newfile){
+            char tmp[MAX_STRING_LEN];
+
+            fpw = fopen(pwfilename, "r");
+            while (! (get_line(line, sizeof(line), fpw))) {
+                    char *testcolon;
+
+                    if ((line[0] == '#') || (line[0] == '\0')) {
+                            continue;
+                    }
+                    strcpy(tmp, line);
+                    testcolon = strchr(tmp, ':');
+                    if (testcolon != NULL){
+                            /*
+                             * We got a valid line. keep going
+                             */
+                            continue;
+                    }
+                    else {
+                            /*
+                             * no colon in the line, and it's not a comment
+                             * Time to bail out before we do damage.
+                             */
+                            fprintf(stderr, "%s: The file %s does not appear "
+                                            "to be a valid htpasswd file.\n",
+                                            argv[0], pwfilename);
+                            fclose(fpw);
+                            exit(ERR_INVALID);
+                    }
+            }
+            fclose(fpw);
+        }
     }
 
     /*
@@ -678,7 +715,7 @@
     /*
      * The temporary file now contains the information that should be
      * in the actual password file.  Close the open files, re-open them
-     * in the appropriate mode, and copy them file to the real one.
+     * in the appropriate mode, and copy the temp file to the real one.
      */
     fclose(ftemp);
     fpw = fopen(pwfilename, "w+");

Mime
View raw message