Menu

PATCH: Proper escaping of htpasswd

Help
Brian
2005-08-22
2013-05-01

  • Brian

    Brian - 2005-08-22

    I ran into a bug where certain characters such as ";" and "'" used in a password would not successfully run the `htpasswd` command. The database would store the password correctly, so you would still be able to log into the web interface, but would not be able to authenticate to the apache server. The following patch attempts to fix the special character issue. This patch also creates MD5 passwords (by passing '-m') to `htpasswd`. Feel free to remove it.

    Index: trunk/svnmanager/UserModule/DataModule.php

    --- trunk/svnmanager/UserModule/DataModule.php  (revision 4)
    +++ trunk/svnmanager/UserModule/DataModule.php  (revision 5)
    @@ -32,11 +32,15 @@
                    require("config.php");

                    //Add user to svn password file
    +               // Escape special strings in htpasswd command
    +                $password = eregi_replace('"', '\"', $password);
                    if(!file_exists("$svn_passwd_file"))
                    {
    -                       exec("$htpassword_cmd -cb $svn_passwd_file $name $passwo rd");
    +                       exec("$htpassword_cmd -cmb $svn_passwd_file $name
    +\"$password\"");
                    } else {
    -                       exec("$htpassword_cmd -b $svn_passwd_file $name $passwor d");
    +                       exec("$htpassword_cmd -bm $svn_passwd_file $name
    +\"$password\"");
                    }

                    $md5_pw = md5($password);
    @@ -56,7 +60,10 @@

                    $results = $this->Database->Execute("SELECT name FROM users WHER E id='$id'");
                    $name = $results->fields['name'];
    -               exec("$htpassword_cmd -b $svn_passwd_file $name $password");
    +               // Escape special strings in htpasswd command
    +                $password = eregi_replace('"', '\"', $password);
    +               exec("$htpassword_cmd -mb $svn_passwd_file $name
    +\"$password\"");

                    $md5_pw = md5($password);
                    $this->Database->Execute("UPDATE users SET password='$md5_pw' WH ERE id='$id'");

     

    • Marijn Verkerk

      Marijn Verkerk - 2005-08-22

      Thanks!

      This looks like a useful update!

      Marijn

       

Log in to post a comment.