From: André Malo Date: Tue, 13 May 2003 03:40:29 +0000 (+0000) Subject: (grabbed from archive) X-Git-Tag: pre_ajp_proxy~1716 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=abe287956a027dc610de90f5326ce99800f27d58;p=thirdparty%2Fapache%2Fhttpd.git (grabbed from archive) Check the processed file on validity. If a line is not empty and not a comment, it must contain at least one colon. Otherwise exit with error code 7. Submitted by: Thom May (on 2002-07-02) Kris Verbeeck (on 2002-10-22) git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@99771 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index 08edce8b65a..0215f8632bc 100644 --- a/CHANGES +++ b/CHANGES @@ -2,6 +2,10 @@ Changes with Apache 2.1.0-dev [Remove entries to the current 2.0 section below, when backported] + *) htpasswd: Check the processed file on validity. If a line is not empty + and not a comment, it must contain at least one colon. Otherwise exit + with error code 7. [Kris Verbeeck , Thom May] + *) Use appropriate language code for Czech (cs) in default config files. PR 9427. [André Malo] diff --git a/STATUS b/STATUS index 99a2786a494..5c066e717c9 100644 --- a/STATUS +++ b/STATUS @@ -1,5 +1,5 @@ APACHE 2.1 STATUS: -*-text-*- -Last modified at [$Date: 2003/03/07 20:24:07 $] +Last modified at [$Date: 2003/05/13 03:40:28 $] Release [NOTE that only Alpha/Beta releases occur in 2.1 development]: @@ -166,13 +166,6 @@ RELEASE NON-SHOWSTOPPERS BUT WOULD BE REAL NICE TO WRAP THESE UP: the same time. This mode lets us do that, so the MPM can be fixed. - * htpasswd blindly processes the file you give it, and does no - sanity checking before totally corrupting whatever file it was - you thought you had. It should check the input file and bail - if it finds non-comment lines that do not contain exactly 1 - ':' character. - Message-ID: <20020217150457.A31632@clove.org> - * Can a static httpd be built reliably? Message-ID: <20020207142751.T31582@clove.org> diff --git a/support/htpasswd.c b/support/htpasswd.c index 64a04588c44..2a28653ab46 100644 --- a/support/htpasswd.c +++ b/support/htpasswd.c @@ -77,6 +77,7 @@ * 5: Failure; buffer would overflow (username, filename, or computed * record too long) * 6: Failure; username contains illegal or reserved characters + * 7: Failure; file is not a valid htpasswd file */ #include "apr.h" @@ -133,6 +134,7 @@ #define ERR_INTERRUPTED 4 #define ERR_OVERFLOW 5 #define ERR_BADUSER 6 +#define ERR_INVALID 7 #define APHTP_NEWFILE 1 #define APHTP_NOFILE 2 @@ -578,6 +580,18 @@ int main(int argc, const char * const argv[]) if (colon != NULL) { *colon = '\0'; } + else { + /* + * If we've not got a colon on the line, this could well + * not be a valid htpasswd file. + * We should bail at this point. + */ + apr_file_printf(errfile, "\n%s: The file %s does not appear " + "to be a valid htpasswd file.\n", + argv[0], pwfilename); + apr_file_close(fpw); + exit(ERR_INVALID); + } if (strcmp(user, scratch) != 0) { putline(ftemp, line); continue;