Re: [PATCH v2] chpasswd.cgi: Fixes bug12755 - v2 with password verification correction

Wed, 07 May 2025 05:44:23 -0700 

Hello Adolf,

Thanks for the patch. Is there no return code that we get from htpasswd instead 
of parsing the output?

-Michael

> On 7 May 2025, at 13:42, Adolf Belka <[email protected]> wrote:
> 
> - Realised that I had not tested the old password beinhg correct or not. 
> Previous check
>   gave the same answer irrespective of the output coming from the htpasswd 
> verification.
> - This changes the variable used for the system_output result to an array and 
> then
>   checks if the first element contains the failure message that htpasswd 
> gives if
>   password verification fails.
> - Tested out with correct and incorrect old passwords and gave the correct 
> answer in
>   both cases. Confirmed also that the check for the user being present works 
> correctly
>   for both an existing and new user name, which it did.
> 
> Fixes: bug12755
> Tested-by: Adolf Belka <[email protected]>
> Signed-off-by: Adolf Belka <[email protected]>
> ---
> html/cgi-bin/chpasswd.cgi | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/html/cgi-bin/chpasswd.cgi b/html/cgi-bin/chpasswd.cgi
> index c00caca20..46c3e02f6 100644
> --- a/html/cgi-bin/chpasswd.cgi
> +++ b/html/cgi-bin/chpasswd.cgi
> @@ -77,11 +77,11 @@ if ($cgiparams{'SUBMIT'} eq $tr{'advproxy chgwebpwd 
> change password'})
>        # Check if a user with this name and password exists in the userdb file
>        # and if it does then change the password to the new one
>        my $user = &General::system_output("grep", "$cgiparams{'USERNAME'}", 
> "$userdb");
> -       my $old_password = &General::system_output("/usr/bin/htpasswd", 
> "-bv", "$userdb", "$cgiparams{'USERNAME'}", "$cgiparams{'OLD_PASSWORD'}");
> +       my @old_password = &General::system_output("/usr/bin/htpasswd", 
> "-bv", "$userdb", "$cgiparams{'USERNAME'}", "$cgiparams{'OLD_PASSWORD'}");
>        if (!$user) {
>                $errormessage = $tr{'advproxy errmsg invalid user'};
>                goto ERROR;
> -       } elsif (!$old_password) {
> +       } elsif (@old_password[0] =~ /password verification failed/) {
>                 $errormessage = $tr{'advproxy errmsg password incorrect'};
>                 goto ERROR;
>        } else {
> -- 
> 2.49.0
> 
>

Reply via email to