httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joshua Slive <jos...@slive.ca>
Subject Re: [users@httpd] Cannot create temp file
Date Mon, 18 Nov 2002 16:15:01 GMT

On Sun, 17 Nov 2002, Aaron Axelsen wrote:

> I have php script that I want to be able to add users to a htpasswd file
> .. However when its called from the php script I get the following
> error:
> /usr/local/apache/bin/htpasswd: unable to create temporary file
> htpasswd.tmp.oELAa4
>
> I am calling the htpasswd command like this:
> system("/usr/local/apache/bin/htpasswd -bm /path/to/.htpasswd $user
> $password");

Ooooh.  Look.  Really bad idea.

I'm very much hoping that you are strictly sanitizing $user and $password
before passing them to system.  Otherwise, this is a guarenteed security
breech.

htpasswd is designed to be run from the command line, not from the web.
You would, perhaps, be better off taking a look at its source code and
trying to adapt it to something a little more suited to direct web use.

I don't specifically remember what the temp file is for, but I'd guess
that it is writing the new password database to the temp file to assure
that it doesn't mangle the old one before replacing it.

Joshua.


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message