From: Jeff Trawick <trawick@apache.org>
Date: Wed, 22 Sep 2010 01:35:42 +0000 (+0000)
Subject: Backport trunk revs 826506, 826520, 826528, 987498
X-Git-Tag: 2.2.17~45
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1ed9e91ee234eea087b90f55889b677ebc489573;p=thirdparty%2Fapache%2Fhttpd.git

Backport trunk revs 826506, 826520, 826528, 987498

sync htdigest with trunk to fix overflows and pick up other minor tweaks

Reviewed by: poirier, rpluem


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@999717 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/STATUS b/STATUS
index 8a2261167ec..510db8835fa 100644
--- a/STATUS
+++ b/STATUS
@@ -87,13 +87,6 @@ RELEASE SHOWSTOPPERS:
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
   [ start all new proposals below, under PATCHES PROPOSED. ]
 
-  * sync htdigest with trunk to fix overflows and pick up other minor tweaks
-    Trunk patches: http://svn.apache.org/viewvc?view=revision&revision=826506
-                   http://svn.apache.org/viewvc?view=revision&revision=826520
-                   http://svn.apache.org/viewvc?view=revision&revision=826528
-                   http://svn.apache.org/viewvc?view=revision&revision=987498
-   2.2.x patch: http://people.apache.org/~trawick/htdigest-sync.txt
-   +1: trawick, poirier, rpluem
 
 PATCHES PROPOSED TO BACKPORT FROM TRUNK:
   [ New proposals should be added at the end of the list ]
diff --git a/support/htdigest.c b/support/htdigest.c
index 4f99d3eb71e..6a0e26f123f 100644
--- a/support/htdigest.c
+++ b/support/htdigest.c
@@ -124,7 +124,7 @@ static void add_password(const char *user, const char *realm, apr_file_t *f)
     char *pw;
     apr_md5_ctx_t context;
     unsigned char digest[16];
-    char string[MAX_STRING_LEN];
+    char string[3 * MAX_STRING_LEN]; /* this includes room for 2 * ':' + '\0' */
     char pwin[MAX_STRING_LEN];
     char pwv[MAX_STRING_LEN];
     unsigned int i;
@@ -144,7 +144,7 @@ static void add_password(const char *user, const char *realm, apr_file_t *f)
     apr_file_printf(f, "%s:%s:", user, realm);
 
     /* Do MD5 stuff */
-    sprintf(string, "%s:%s:%s", user, realm, pw);
+    apr_snprintf(string, sizeof(string), "%s:%s:%s", user, realm, pw);
 
     apr_md5_init(&context);
 #if APR_CHARSET_EBCDIC
@@ -188,8 +188,8 @@ int main(int argc, const char * const argv[])
     char *dirname;
     char user[MAX_STRING_LEN];
     char realm[MAX_STRING_LEN];
-    char line[MAX_STRING_LEN];
-    char l[MAX_STRING_LEN];
+    char line[3 * MAX_STRING_LEN];
+    char l[3 * MAX_STRING_LEN];
     char w[MAX_STRING_LEN];
     char x[MAX_STRING_LEN];
     int found;
@@ -222,9 +222,11 @@ int main(int argc, const char * const argv[])
                     apr_strerror(rv, errmsg, sizeof errmsg));
             exit(1);
         }
+        apr_cpystrn(user, argv[4], sizeof(user));
+        apr_cpystrn(realm, argv[3], sizeof(realm));
         apr_file_printf(errfile, "Adding password for %s in realm %s.\n",
-                    argv[4], argv[3]);
-        add_password(argv[4], argv[3], f);
+                    user, realm);
+        add_password(user, realm, f);
         apr_file_close(f);
         exit(0);
     }
@@ -253,7 +255,7 @@ int main(int argc, const char * const argv[])
     apr_cpystrn(realm, argv[2], sizeof(realm));
 
     found = 0;
-    while (!(get_line(line, MAX_STRING_LEN, f))) {
+    while (!(get_line(line, sizeof(line), f))) {
         if (found || (line[0] == '#') || (!line[0])) {
             putline(tfp, line);
             continue;