Re: [Patch] Add sanity checking to htpassd (Was Re: [Patch] DeTabbify htpasswd.c)
* William A. Rowe, Jr. ([EMAIL PROTECTED]) wrote : +1 here, I'm only confused by why you needed the extra strcpy(tmp, line); which doesn't seem to be necessary. Gone now. I think that was a relic from when I was trying to do this a different way. Oh, and the spaces are now sorted, thanks to the cluesticking I got from Justin and Cliff last night on IRC. Cheers, -Thom Index: htpasswd.c === RCS file: /home/cvspublic/httpd-2.0/support/htpasswd.c,v retrieving revision 1.43 diff -u -u -r1.43 htpasswd.c --- htpasswd.c 16 May 2002 19:57:11 - 1.43 +++ htpasswd.c 17 May 2002 07:43:49 - @@ -77,6 +77,7 @@ * 5: Failure; buffer would overflow (username, filename, or computed * record too long) * 6: Failure; username contains illegal or reserved characters + * 7: Failure: file is not a valid htpasswd file */ #include apr.h @@ -133,6 +134,7 @@ #define ERR_INTERRUPTED 4 #define ERR_OVERFLOW 5 #define ERR_BADUSER 6 +#define ERR_INVALID 7 /* * This needs to be declared statically so the signal handler can @@ -582,6 +584,39 @@ perror(fopen); exit(ERR_FILEPERM); } +/* + * Now we need to confirm that this is a valid htpasswd file + */ +if (! newfile){ + +fpw = fopen(pwfilename, r); +while (! (get_line(line, sizeof(line), fpw))) { +char *testcolon; + +if ((line[0] == '#') || (line[0] == '\0')) { +continue; +} +testcolon = strchr(line, ':'); +if (testcolon != NULL){ +/* + * We got a valid line. keep going + */ +continue; +} +else { +/* + * no colon in the line, and it's not a comment + * Time to bail out before we do damage. + */ +fprintf(stderr, %s: The file %s does not appear +to be a valid htpasswd file.\n, +argv[0], pwfilename); +fclose(fpw); +exit(ERR_INVALID); +} +} +fclose(fpw); +} } /* @@ -678,7 +713,7 @@ /* * The temporary file now contains the information that should be * in the actual password file. Close the open files, re-open them - * in the appropriate mode, and copy them file to the real one. + * in the appropriate mode, and copy the temp file to the real one. */ fclose(ftemp); fpw = fopen(pwfilename, w+);
Re: [Patch] Add sanity checking to htpassd (Was Re: [Patch] DeTabbify htpasswd.c)
+1 here, I'm only confused by why you needed the extra strcpy(tmp, line); which doesn't seem to be necessary. At 02:49 PM 5/16/2002, you wrote: Ok, so now a new sanity check, hopefully sans tabs. -Thom -- Thom May - [EMAIL PROTECTED] Buffy: We have a marching jazz band? Oz: Yeah, but, you know, since the best jazz is improvisational, we'd be going off in all directions, banging into floats... scary. --- htpasswd.c.orig Thu May 16 20:45:41 2002 +++ htpasswd.c Thu May 16 20:44:51 2002 @@ -77,6 +77,7 @@ * 5: Failure; buffer would overflow (username, filename, or computed * record too long) * 6: Failure; username contains illegal or reserved characters + * 7: Failure: file is not a valid htpasswd file */ #include apr.h @@ -133,6 +134,7 @@ #define ERR_INTERRUPTED 4 #define ERR_OVERFLOW 5 #define ERR_BADUSER 6 +#define ERR_INVALID 7 /* * This needs to be declared statically so the signal handler can @@ -582,6 +584,41 @@ perror(fopen); exit(ERR_FILEPERM); } +/* + * Now we need to confirm that this is a valid htpasswd file + */ +if (! newfile){ +char tmp[MAX_STRING_LEN]; + +fpw = fopen(pwfilename, r); +while (! (get_line(line, sizeof(line), fpw))) { +char *testcolon; + +if ((line[0] == '#') || (line[0] == '\0')) { +continue; +} +strcpy(tmp, line); +testcolon = strchr(tmp, ':'); +if (testcolon != NULL){ +/* + * We got a valid line. keep going + */ +continue; +} +else { +/* + * no colon in the line, and it's not a comment + * Time to bail out before we do damage. + */ +fprintf(stderr, %s: The file %s does not appear +to be a valid htpasswd file.\n, +argv[0], pwfilename); +fclose(fpw); +exit(ERR_INVALID); +} +} +fclose(fpw); +} } /* @@ -678,7 +715,7 @@ /* * The temporary file now contains the information that should be * in the actual password file. Close the open files, re-open them - * in the appropriate mode, and copy them file to the real one. + * in the appropriate mode, and copy the temp file to the real one. */ fclose(ftemp); fpw = fopen(pwfilename, w+);