Re: [Patch] Add sanity checking to htpassd (Was Re: [Patch] DeTabbify htpasswd.c)

[Thom May]

* William A. Rowe, Jr. ([EMAIL PROTECTED]) wrote :
 +1 here, I'm only confused by why you needed the extra strcpy(tmp, line);
 which doesn't seem to be necessary.
 
Gone now. I think that was a relic from when I was trying to do this a
different way. Oh, and the spaces are now sorted, thanks to the cluesticking
I got from Justin and Cliff last night on IRC.
Cheers,
-Thom


Index: htpasswd.c
===
RCS file: /home/cvspublic/httpd-2.0/support/htpasswd.c,v
retrieving revision 1.43
diff -u -u -r1.43 htpasswd.c
--- htpasswd.c  16 May 2002 19:57:11 -  1.43
+++ htpasswd.c  17 May 2002 07:43:49 -
@@ -77,6 +77,7 @@
  *  5: Failure; buffer would overflow (username, filename, or computed
  * record too long)
  *  6: Failure; username contains illegal or reserved characters
+ *  7: Failure: file is not a valid htpasswd file
  */
 
 #include apr.h
@@ -133,6 +134,7 @@
 #define ERR_INTERRUPTED 4
 #define ERR_OVERFLOW 5
 #define ERR_BADUSER 6
+#define ERR_INVALID 7
 
 /*
  * This needs to be declared statically so the signal handler can
@@ -582,6 +584,39 @@
 perror(fopen);
 exit(ERR_FILEPERM);
 }
+/*
+ * Now we need to confirm that this is a valid htpasswd file
+ */
+if (! newfile){
+
+fpw = fopen(pwfilename, r);
+while (! (get_line(line, sizeof(line), fpw))) {
+char *testcolon;
+
+if ((line[0] == '#') || (line[0] == '\0')) {
+continue;
+}
+testcolon = strchr(line, ':');
+if (testcolon != NULL){
+/*
+ * We got a valid line. keep going
+ */
+continue;
+}
+else {
+/*
+ * no colon in the line, and it's not a comment
+ * Time to bail out before we do damage.
+ */
+fprintf(stderr, %s: The file %s does not appear 
+to be a valid htpasswd file.\n,
+argv[0], pwfilename);
+fclose(fpw);
+exit(ERR_INVALID);
+}
+}
+fclose(fpw);
+}
 }
 
 /*
@@ -678,7 +713,7 @@
 /*
  * The temporary file now contains the information that should be
  * in the actual password file.  Close the open files, re-open them
- * in the appropriate mode, and copy them file to the real one.
+ * in the appropriate mode, and copy the temp file to the real one.
  */
 fclose(ftemp);
 fpw = fopen(pwfilename, w+);

Re: [Patch] Add sanity checking to htpassd (Was Re: [Patch] DeTabbify htpasswd.c)

[William A. Rowe, Jr.]

+1 here, I'm only confused by why you needed the extra strcpy(tmp, line);
which doesn't seem to be necessary.

At 02:49 PM 5/16/2002, you wrote:
Ok, so now a new sanity check, hopefully sans tabs.
-Thom
--
Thom May - [EMAIL PROTECTED]

Buffy: We have a marching jazz band?
Oz: Yeah, but, you know, since the best jazz is improvisational, we'd be
going off in all directions, banging into floats... scary.


--- htpasswd.c.orig Thu May 16 20:45:41 2002
+++ htpasswd.c  Thu May 16 20:44:51 2002
@@ -77,6 +77,7 @@
   *  5: Failure; buffer would overflow (username, filename, or computed
   * record too long)
   *  6: Failure; username contains illegal or reserved characters
+ *  7: Failure: file is not a valid htpasswd file
   */

  #include apr.h
@@ -133,6 +134,7 @@
  #define ERR_INTERRUPTED 4
  #define ERR_OVERFLOW 5
  #define ERR_BADUSER 6
+#define ERR_INVALID 7

  /*
   * This needs to be declared statically so the signal handler can
@@ -582,6 +584,41 @@
  perror(fopen);
  exit(ERR_FILEPERM);
  }
+/*
+ * Now we need to confirm that this is a valid htpasswd file
+ */
+if (! newfile){
+char tmp[MAX_STRING_LEN];
+
+fpw = fopen(pwfilename, r);
+while (! (get_line(line, sizeof(line), fpw))) {
+char *testcolon;
+
+if ((line[0] == '#') || (line[0] == '\0')) {
+continue;
+}
+strcpy(tmp, line);
+testcolon = strchr(tmp, ':');
+if (testcolon != NULL){
+/*
+ * We got a valid line. keep going
+ */
+continue;
+}
+else {
+/*
+ * no colon in the line, and it's not a comment
+ * Time to bail out before we do damage.
+ */
+fprintf(stderr, %s: The file %s does not 
appear 
+to be a valid htpasswd file.\n,
+argv[0], pwfilename);
+fclose(fpw);
+exit(ERR_INVALID);
+}
+}
+fclose(fpw);
+}
  }

  /*
@@ -678,7 +715,7 @@
  /*
   * The temporary file now contains the information that should be
   * in the actual password file.  Close the open files, re-open them
- * in the appropriate mode, and copy them file to the real one.
+ * in the appropriate mode, and copy the temp file to the real one.
   */
  fclose(ftemp);
  fpw = fopen(pwfilename, w+);