Re: [Patch] Add sanity checking to htpassd (Was Re: [Patch] DeTabbify htpasswd.c)

[Thom May]

* William A. Rowe, Jr. ([EMAIL PROTECTED]) wrote :
> +1 here, I'm only confused by why you needed the extra strcpy(tmp, line);
> which doesn't seem to be necessary.
> 
Gone now. I think that was a relic from when I was trying to do this a
different way. Oh, and the spaces are now sorted, thanks to the cluesticking
I got from Justin and Cliff last night on IRC.
Cheers,
-Thom


Index: htpasswd.c
===================================================================
RCS file: /home/cvspublic/httpd-2.0/support/htpasswd.c,v
retrieving revision 1.43
diff -u -u -r1.43 htpasswd.c
--- htpasswd.c  16 May 2002 19:57:11 -0000      1.43
+++ htpasswd.c  17 May 2002 07:43:49 -0000
@@ -77,6 +77,7 @@
  *  5: Failure; buffer would overflow (username, filename, or computed
  *     record too long)
  *  6: Failure; username contains illegal or reserved characters
+ *  7: Failure: file is not a valid htpasswd file
  */
 
 #include "apr.h"
@@ -133,6 +134,7 @@
 #define ERR_INTERRUPTED 4
 #define ERR_OVERFLOW 5
 #define ERR_BADUSER 6
+#define ERR_INVALID 7
 
 /*
  * This needs to be declared statically so the signal handler can
@@ -582,6 +584,39 @@
             perror("fopen");
             exit(ERR_FILEPERM);
         }
+        /*
+         * Now we need to confirm that this is a valid htpasswd file
+         */
+        if (! newfile){
+                
+            fpw = fopen(pwfilename, "r");
+            while (! (get_line(line, sizeof(line), fpw))) {
+                char *testcolon;
+
+                if ((line[0] == '#') || (line[0] == '\0')) {
+                    continue;
+                }
+                testcolon = strchr(line, ':');
+                if (testcolon != NULL){
+                    /*
+                     * We got a valid line. keep going
+                     */
+                    continue;
+                }
+                else {
+                    /*
+                     * no colon in the line, and it's not a comment
+                     * Time to bail out before we do damage.
+                     */
+                    fprintf(stderr, "%s: The file %s does not appear "
+                                    "to be a valid htpasswd file.\n",
+                            argv[0], pwfilename);
+                    fclose(fpw);
+                    exit(ERR_INVALID);
+                }
+            }
+            fclose(fpw);
+        }
     }
 
     /*
@@ -678,7 +713,7 @@
     /*
      * The temporary file now contains the information that should be
      * in the actual password file.  Close the open files, re-open them
-     * in the appropriate mode, and copy them file to the real one.
+     * in the appropriate mode, and copy the temp file to the real one.
      */
     fclose(ftemp);
     fpw = fopen(pwfilename, "w+");