coar 99/06/03 08:42:39
Modified: src CHANGES
src/support htpasswd.1 htpasswd.c
Log:
Document the length restrictions on the username and password for
src/support/htpasswd. Also gritch about illegal characters in
the username (':' is the field separator).
Revision Changes Path
1.1367 +5 -0 apache-1.3/src/CHANGES
Index: CHANGES
===================================================================
RCS file: /home/cvs/apache-1.3/src/CHANGES,v
retrieving revision 1.1366
retrieving revision 1.1367
diff -u -r1.1366 -r1.1367
--- CHANGES 1999/06/02 20:11:16 1.1366
+++ CHANGES 1999/06/03 15:42:33 1.1367
@@ -1,5 +1,10 @@
Changes with Apache 1.3.7
+ *) When the username or password fed to htpasswd is too long, include the
+ size limit in the error message. Also report illegal characters
+ (currently only ':') in the username. Add the size restrictions
+ to the man page. [Ken Coar]
+
*) Fixed the configure --without-support option so it doesn't result in
an infinite loop. [Marc Slemko]
1.11 +7 -4 apache-1.3/src/support/htpasswd.1
Index: htpasswd.1
===================================================================
RCS file: /home/cvs/apache-1.3/src/support/htpasswd.1,v
retrieving revision 1.10
retrieving revision 1.11
diff -u -r1.10 -r1.11
--- htpasswd.1 1999/04/10 15:08:45 1.10
+++ htpasswd.1 1999/06/03 15:42:38 1.11
@@ -141,8 +141,9 @@
returns 1 if it encounters some problem accessing files, 2 if there
was a syntax problem with the command line, 3 if the password was
entered interactively and the verification entry didn't match, 4 if
-its operation was interrupted, and 5 if a value is too long (username,
-filename, password, or final computed record).
+its operation was interrupted, 5 if a value is too long (username,
+filename, password, or final computed record), and 6 if the username
+contains illegal characters (see the \fBRESTRICTIONS\fP section).
.SH EXAMPLES
\fBhtpasswd /usr/local/etc/apache/.htpasswd-users jsmith\fP
.IP
@@ -180,12 +181,14 @@
.SH RESTRICTIONS
On the Windows and MPE platforms, passwords encrypted with
.B htpasswd
-are limited to no more than 80 characters in length. Longer
-passwords will be truncated to 80 characters.
+are limited to no more than 255 characters in length. Longer
+passwords will be truncated to 255 characters.
.PP
The MD5 algorithm used by
.B htpasswd
is specific to the Apache software; passwords encrypted using it will not be
usable with other Web servers.
+.PP
+Usernames are limited to 255 bytes and may not include the character ':'.
.SH SEE ALSO
.BR httpd(8)
1.31 +15 -62 apache-1.3/src/support/htpasswd.c
Index: htpasswd.c
===================================================================
RCS file: /home/cvs/apache-1.3/src/support/htpasswd.c,v
retrieving revision 1.30
retrieving revision 1.31
diff -u -r1.30 -r1.31
--- htpasswd.c 1999/05/31 19:44:30 1.30
+++ htpasswd.c 1999/06/03 15:42:38 1.31
@@ -75,6 +75,7 @@
* 4: Failure; operation interrupted (such as with CTRL/C)
* 5: Failure; buffer would overflow (username, filename, or computed
* record too long)
+ * 6: Failure; username contains illegal or reserved characters
*/
#include "ap_config.h"
@@ -107,6 +108,7 @@
#define ERR_PWMISMATCH 3
#define ERR_INTERRUPTED 4
#define ERR_OVERFLOW 5
+#define ERR_BADUSER 6
/*
* This needs to be declared statically so the signal handler can
@@ -160,64 +162,7 @@
}
}
-#ifdef MPE
/*
- * MPE lacks getpass() and a way to suppress stdin echo. So for now, just
- * issue the prompt and read the results with echo. (Ugh).
- */
-
-static char *getpass(const char *prompt)
-{
- static char password[81];
-
- fputs(prompt, stderr);
- gets((char *) &password);
-
- if (strlen((char *) &password) > 80) {
- password[80] = '\0';
- }
-
- return (char *) &password;
-}
-
-#endif
-
-#ifdef WIN32
-/*
- * Windows lacks getpass(). So we'll re-implement it here.
- */
-
-static char *getpass(const char *prompt)
-{
- static char password[81];
- int n = 0;
-
- fputs(prompt, stderr);
-
- while ((password[n] = _getch()) != '\r') {
- if (password[n] >= ' ' && password[n] <= '~') {
- n++;
- printf("*");
- }
- else {
- printf("\n");
- fputs(prompt, stderr);
- n = 0;
- }
- }
-
- password[n] = '\0';
- printf("\n");
-
- if (n > 80) {
- password[80] = '\0';
- }
-
- return (char *) &password;
-}
-#endif
-
-/*
* Make a password record from the given information. A zero return
* indicates success; failure means that the output buffer contains an
* error message instead.
@@ -228,15 +173,16 @@
char *pw;
char cpw[120];
char salt[9];
- char pwin[129];
- char pwv[129];
+ char pwin[MAX_STRING_LEN];
+ char pwv[MAX_STRING_LEN];
if (passwd != NULL) {
pw = passwd;
}
else {
if (ap_getpass("New password: ", pwin, sizeof(pwin)) != 0) {
- ap_cpystrn(record, "password too long", (rlen -1));
+ ap_snprintf(record, (rlen - 1), "password too long (>%d)",
+ sizeof(pwin) - 1);
return ERR_OVERFLOW;
}
ap_getpass("Re-type new password: ", pwv, sizeof(pwv));
@@ -434,13 +380,20 @@
}
strcpy(pwfilename, argv[i]);
if (strlen(argv[i + 1]) > (sizeof(user) - 1)) {
- fprintf(stderr, "%s: username too long\n", argv[0]);
+ fprintf(stderr, "%s: username too long (>%d)\n", argv[0],
+ sizeof(user) - 1);
return ERR_OVERFLOW;
}
strcpy(user, argv[i + 1]);
+ if ((arg = strchr(user, ':')) != NULL) {
+ fprintf(stderr, "%s: username contains illegal character '%c'\n",
+ argv[0], *arg);
+ return ERR_BADUSER;
+ }
if (noninteractive) {
if (strlen(argv[i + 2]) > (sizeof(password) - 1)) {
- fprintf(stderr, "%s: password too long\n", argv[0]);
+ fprintf(stderr, "%s: password too long (>%d)\n", argv[0],
+ sizeof(password) - 1);
return ERR_OVERFLOW;
}
strcpy(password, argv[i + 2]);
