- Realised that I had not tested the old password beinhg correct or not. Previous check gave the same answer irrespective of the output coming from the htpasswd verification. - This changes the variable used for the system_output result to an array and then checks if the first element contains the failure message that htpasswd gives if password verification fails. - Tested out with correct and incorrect old passwords and gave the correct answer in both cases. Confirmed also that the check for the user being present works correctly for both an existing and new user name, which it did.
Fixes: bug12755 Tested-by: Adolf Belka <[email protected]> Signed-off-by: Adolf Belka <[email protected]> --- html/cgi-bin/chpasswd.cgi | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/html/cgi-bin/chpasswd.cgi b/html/cgi-bin/chpasswd.cgi index c00caca20..46c3e02f6 100644 --- a/html/cgi-bin/chpasswd.cgi +++ b/html/cgi-bin/chpasswd.cgi @@ -77,11 +77,11 @@ if ($cgiparams{'SUBMIT'} eq $tr{'advproxy chgwebpwd change password'}) # Check if a user with this name and password exists in the userdb file # and if it does then change the password to the new one my $user = &General::system_output("grep", "$cgiparams{'USERNAME'}", "$userdb"); - my $old_password = &General::system_output("/usr/bin/htpasswd", "-bv", "$userdb", "$cgiparams{'USERNAME'}", "$cgiparams{'OLD_PASSWORD'}"); + my @old_password = &General::system_output("/usr/bin/htpasswd", "-bv", "$userdb", "$cgiparams{'USERNAME'}", "$cgiparams{'OLD_PASSWORD'}"); if (!$user) { $errormessage = $tr{'advproxy errmsg invalid user'}; goto ERROR; - } elsif (!$old_password) { + } elsif (@old_password[0] =~ /password verification failed/) { $errormessage = $tr{'advproxy errmsg password incorrect'}; goto ERROR; } else { -- 2.49.0
