| Message ID | 20250507124211.16762-1-adolf.belka@ipfire.org |
|---|---|
| State | New |
| Headers |
Return-Path: <development+bounces-339-patchwork=ipfire.org@lists.ipfire.org> Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4Zsvzb41nMz3x4T for <patchwork@web04.haj.ipfire.org>; Wed, 7 May 2025 12:42:19 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) client-signature ECDSA (secp384r1)) (Client CN "mail02.haj.ipfire.org", Issuer "E5" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4ZsvzZ6HNGz6Qn for <patchwork@ipfire.org>; Wed, 7 May 2025 12:42:18 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4ZsvzZ5bdsz339f for <patchwork@ipfire.org>; Wed, 7 May 2025 12:42:18 +0000 (UTC) X-Original-To: development@lists.ipfire.org Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4ZsvzW65vlz30L0 for <development@lists.ipfire.org>; Wed, 7 May 2025 12:42:15 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4ZsvzV5Y56z1Zd; Wed, 7 May 2025 12:42:14 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1746621734; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=8ckw4fuw0YqKVp7sL9HhnqGBCfHgpkOINiV2DGA+EVg=; b=o73Cn7xKJwVegWwcompwrydQwfZ51D9FCwJ4A/ukr1f7Qzctvm5JtbR6cIJr67ib1V3u0K EzMUBGfgw9WUn6CQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1746621734; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=8ckw4fuw0YqKVp7sL9HhnqGBCfHgpkOINiV2DGA+EVg=; b=o+dxOc6XItwuEapIVQg4hPaWabgvjgH/5xNMgyA/994EamLirRyRGpQGQCEoMyRkpYQFCP geM4kV37ALre1t/fFJgro25Yr6EkvlOprE1JrZV4ZwLq8hl5cS2xk6kLsvNCriPqJQdDvp 0kemH4rFJkqXNJQap++5a8NUN9CLyrHKQhDrLpPphG28bQv8HZ3l71s297GKbiFdNpvcOm 3r4J0INuxFeP/d5FP1Yk+QBfnQZE93FqYLRW34We9bz+pkQ5W5dh8z09paTByhH6MnYhMq CBTwNVoLj8By0yjeDjjGEqUall/atJZcXZoddxuo1G8X86KwerRYP+agp/9RjQ== From: Adolf Belka <adolf.belka@ipfire.org> To: development@lists.ipfire.org Cc: Adolf Belka <adolf.belka@ipfire.org> Subject: [PATCH v2] chpasswd.cgi: Fixes bug12755 - v2 with password verification correction Date: Wed, 7 May 2025 14:42:11 +0200 Message-ID: <20250507124211.16762-1-adolf.belka@ipfire.org> Precedence: list List-Id: <development.lists.ipfire.org> List-Subscribe: <https://lists.ipfire.org/>, <mailto:development+subscribe@lists.ipfire.org?subject=subscribe> List-Unsubscribe: <https://lists.ipfire.org/>, <mailto:development+unsubscribe@lists.ipfire.org?subject=unsubscribe> List-Post: <mailto:development@lists.ipfire.org> List-Help: <mailto:development+help@lists.ipfire.org?subject=help> Sender: <development@lists.ipfire.org> Mail-Followup-To: <development@lists.ipfire.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit |
| Series |
[v2] chpasswd.cgi: Fixes bug12755 - v2 with password verification correction
|
|
Commit Message
Adolf Belka
May 7, 2025, 12:42 p.m. UTC
- Realised that I had not tested the old password beinhg correct or not. Previous check gave the same answer irrespective of the output coming from the htpasswd verification. - This changes the variable used for the system_output result to an array and then checks if the first element contains the failure message that htpasswd gives if password verification fails. - Tested out with correct and incorrect old passwords and gave the correct answer in both cases. Confirmed also that the check for the user being present works correctly for both an existing and new user name, which it did. Fixes: bug12755 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> --- html/cgi-bin/chpasswd.cgi | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
Comments
Hello Adolf, Thanks for the patch. Is there no return code that we get from htpasswd instead of parsing the output? -Michael > On 7 May 2025, at 13:42, Adolf Belka <adolf.belka@ipfire.org> wrote: > > - Realised that I had not tested the old password beinhg correct or not. Previous check > gave the same answer irrespective of the output coming from the htpasswd verification. > - This changes the variable used for the system_output result to an array and then > checks if the first element contains the failure message that htpasswd gives if > password verification fails. > - Tested out with correct and incorrect old passwords and gave the correct answer in > both cases. Confirmed also that the check for the user being present works correctly > for both an existing and new user name, which it did. > > Fixes: bug12755 > Tested-by: Adolf Belka <adolf.belka@ipfire.org> > Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> > --- > html/cgi-bin/chpasswd.cgi | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/html/cgi-bin/chpasswd.cgi b/html/cgi-bin/chpasswd.cgi > index c00caca20..46c3e02f6 100644 > --- a/html/cgi-bin/chpasswd.cgi > +++ b/html/cgi-bin/chpasswd.cgi > @@ -77,11 +77,11 @@ if ($cgiparams{'SUBMIT'} eq $tr{'advproxy chgwebpwd change password'}) > # Check if a user with this name and password exists in the userdb file > # and if it does then change the password to the new one > my $user = &General::system_output("grep", "$cgiparams{'USERNAME'}", "$userdb"); > - my $old_password = &General::system_output("/usr/bin/htpasswd", "-bv", "$userdb", "$cgiparams{'USERNAME'}", "$cgiparams{'OLD_PASSWORD'}"); > + my @old_password = &General::system_output("/usr/bin/htpasswd", "-bv", "$userdb", "$cgiparams{'USERNAME'}", "$cgiparams{'OLD_PASSWORD'}"); > if (!$user) { > $errormessage = $tr{'advproxy errmsg invalid user'}; > goto ERROR; > - } elsif (!$old_password) { > + } elsif (@old_password[0] =~ /password verification failed/) { > $errormessage = $tr{'advproxy errmsg password incorrect'}; > goto ERROR; > } else { > -- > 2.49.0 > >
Hi Michael, On 07/05/2025 14:44, Michael Tremer wrote: > Hello Adolf, > > Thanks for the patch. Is there no return code that we get from htpasswd instead of parsing the output? It gives a return code for everything, with numbers of 0 to 7, except for the use of the -v option to verify the password. This gives password verification failed if the existing password for the specified user is not correct and Password for user fred correct. if the user specified was fred and the specified password was correct. It does the above for both the interactive -v and the batch mode using the command line of -bv I had to use the check for if the string was found in the return variable because if I checked if the string matched the contents of the variable it always failed so I think there is a hidden Carriage Return or something in the output from htpasswd for the verification test. Regards, Adolf. > > -Michael > >> On 7 May 2025, at 13:42, Adolf Belka <adolf.belka@ipfire.org> wrote: >> >> - Realised that I had not tested the old password beinhg correct or not. Previous check >> gave the same answer irrespective of the output coming from the htpasswd verification. >> - This changes the variable used for the system_output result to an array and then >> checks if the first element contains the failure message that htpasswd gives if >> password verification fails. >> - Tested out with correct and incorrect old passwords and gave the correct answer in >> both cases. Confirmed also that the check for the user being present works correctly >> for both an existing and new user name, which it did. >> >> Fixes: bug12755 >> Tested-by: Adolf Belka <adolf.belka@ipfire.org> >> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> >> --- >> html/cgi-bin/chpasswd.cgi | 4 ++-- >> 1 file changed, 2 insertions(+), 2 deletions(-) >> >> diff --git a/html/cgi-bin/chpasswd.cgi b/html/cgi-bin/chpasswd.cgi >> index c00caca20..46c3e02f6 100644 >> --- a/html/cgi-bin/chpasswd.cgi >> +++ b/html/cgi-bin/chpasswd.cgi >> @@ -77,11 +77,11 @@ if ($cgiparams{'SUBMIT'} eq $tr{'advproxy chgwebpwd change password'}) >> # Check if a user with this name and password exists in the userdb file >> # and if it does then change the password to the new one >> my $user = &General::system_output("grep", "$cgiparams{'USERNAME'}", "$userdb"); >> - my $old_password = &General::system_output("/usr/bin/htpasswd", "-bv", "$userdb", "$cgiparams{'USERNAME'}", "$cgiparams{'OLD_PASSWORD'}"); >> + my @old_password = &General::system_output("/usr/bin/htpasswd", "-bv", "$userdb", "$cgiparams{'USERNAME'}", "$cgiparams{'OLD_PASSWORD'}"); >> if (!$user) { >> $errormessage = $tr{'advproxy errmsg invalid user'}; >> goto ERROR; >> - } elsif (!$old_password) { >> + } elsif (@old_password[0] =~ /password verification failed/) { >> $errormessage = $tr{'advproxy errmsg password incorrect'}; >> goto ERROR; >> } else { >> -- >> 2.49.0 >> >> > >
Hi Michael, On 07/05/2025 15:52, Adolf Belka wrote: > Hi Michael, > > On 07/05/2025 14:44, Michael Tremer wrote: >> Hello Adolf, >> >> Thanks for the patch. Is there no return code that we get from htpasswd instead of parsing the output? > > It gives a return code for everything, with numbers of 0 to 7, except for the use of the -v option to verify the password. There might be a status code returned. The man page says 3 if the password was entered interactively and the verification entry didn't match but elsewhere it does suggest that interactively is not via the -bv option but where you just use -v and manually type the password when requested on the command line. If the status 3 is a valid status code, how can I access that from the output of the &General::system_output subroutine? I could give it a try out and if it does work then I could do a v3 patch. Regards, Adolf. > This gives > > password verification failed > > if the existing password for the specified user is not correct and > > Password for user fred correct. > > if the user specified was fred and the specified password was correct. > > It does the above for both the interactive -v and the batch mode using the command line of -bv > > I had to use the check for if the string was found in the return variable because if I checked if the string matched the contents of the variable it always failed so I think there is a hidden Carriage Return or something in the output from htpasswd for the verification test. > > Regards, > > Adolf. > >> >> -Michael >> >>> On 7 May 2025, at 13:42, Adolf Belka <adolf.belka@ipfire.org> wrote: >>> >>> - Realised that I had not tested the old password beinhg correct or not. Previous check >>> gave the same answer irrespective of the output coming from the htpasswd verification. >>> - This changes the variable used for the system_output result to an array and then >>> checks if the first element contains the failure message that htpasswd gives if >>> password verification fails. >>> - Tested out with correct and incorrect old passwords and gave the correct answer in >>> both cases. Confirmed also that the check for the user being present works correctly >>> for both an existing and new user name, which it did. >>> >>> Fixes: bug12755 >>> Tested-by: Adolf Belka <adolf.belka@ipfire.org> >>> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> >>> --- >>> html/cgi-bin/chpasswd.cgi | 4 ++-- >>> 1 file changed, 2 insertions(+), 2 deletions(-) >>> >>> diff --git a/html/cgi-bin/chpasswd.cgi b/html/cgi-bin/chpasswd.cgi >>> index c00caca20..46c3e02f6 100644 >>> --- a/html/cgi-bin/chpasswd.cgi >>> +++ b/html/cgi-bin/chpasswd.cgi >>> @@ -77,11 +77,11 @@ if ($cgiparams{'SUBMIT'} eq $tr{'advproxy chgwebpwd change password'}) >>> # Check if a user with this name and password exists in the userdb file >>> # and if it does then change the password to the new one >>> my $user = &General::system_output("grep", "$cgiparams{'USERNAME'}", "$userdb"); >>> - my $old_password = &General::system_output("/usr/bin/htpasswd", "-bv", "$userdb", "$cgiparams{'USERNAME'}", "$cgiparams{'OLD_PASSWORD'}"); >>> + my @old_password = &General::system_output("/usr/bin/htpasswd", "-bv", "$userdb", "$cgiparams{'USERNAME'}", "$cgiparams{'OLD_PASSWORD'}"); >>> if (!$user) { >>> $errormessage = $tr{'advproxy errmsg invalid user'}; >>> goto ERROR; >>> - } elsif (!$old_password) { >>> + } elsif (@old_password[0] =~ /password verification failed/) { >>> $errormessage = $tr{'advproxy errmsg password incorrect'}; >>> goto ERROR; >>> } else { >>> -- >>> 2.49.0 >>> >>> >> >> >
Hello Adolf, I just gave this a try: ipfire build chroot (x86_64) root:~$ htpasswd -vb /var/ipfire/auth/users admin ipfire; echo $? User admin not found 6 ipfire build chroot (x86_64) root:~$ htpasswd -b /var/ipfire/auth/users admin ipfire Adding password for user admin ipfire build chroot (x86_64) root:~$ htpasswd -vb /var/ipfire/auth/users admin ipfire; echo $? Password for user admin correct. 0 ipfire build chroot (x86_64) root:~$ htpasswd -vb /var/ipfire/auth/users admin ipfire2; echo $? password verification failed 3 ipfire build chroot (x86_64) root:~$ htpasswd -vb /var/ipfire/auth/users admin2 ipfire2; echo $? User admin2 not found 6 This is in the dev system, so the password file was empty to start with. Basically if the username and password match the return code is zero. If something else happened it isn’t. And this is exactly what I would check for: Okay on zero, not okay on anything else. I would not even case why htpasswd was upset because it does not matter in our use-case. -Michael > On 7 May 2025, at 15:02, Adolf Belka <adolf.belka@ipfire.org> wrote: > > Hi Michael, > > On 07/05/2025 15:52, Adolf Belka wrote: >> Hi Michael, >> On 07/05/2025 14:44, Michael Tremer wrote: >>> Hello Adolf, >>> >>> Thanks for the patch. Is there no return code that we get from htpasswd instead of parsing the output? >> It gives a return code for everything, with numbers of 0 to 7, except for the use of the -v option to verify the password. > There might be a status code returned. The man page says > > 3 if the password was entered interactively and the verification entry didn't match > > but elsewhere it does suggest that interactively is not via the -bv option but where you just use -v and manually type the password when requested on the command line. > > If the status 3 is a valid status code, how can I access that from the output of the &General::system_output subroutine? > > I could give it a try out and if it does work then I could do a v3 patch. > > Regards, > > Adolf. > >> This gives >> password verification failed >> if the existing password for the specified user is not correct and >> Password for user fred correct. >> if the user specified was fred and the specified password was correct. >> It does the above for both the interactive -v and the batch mode using the command line of -bv >> I had to use the check for if the string was found in the return variable because if I checked if the string matched the contents of the variable it always failed so I think there is a hidden Carriage Return or something in the output from htpasswd for the verification test. >> Regards, >> Adolf. >>> >>> -Michael >>> >>>> On 7 May 2025, at 13:42, Adolf Belka <adolf.belka@ipfire.org> wrote: >>>> >>>> - Realised that I had not tested the old password beinhg correct or not. Previous check >>>> gave the same answer irrespective of the output coming from the htpasswd verification. >>>> - This changes the variable used for the system_output result to an array and then >>>> checks if the first element contains the failure message that htpasswd gives if >>>> password verification fails. >>>> - Tested out with correct and incorrect old passwords and gave the correct answer in >>>> both cases. Confirmed also that the check for the user being present works correctly >>>> for both an existing and new user name, which it did. >>>> >>>> Fixes: bug12755 >>>> Tested-by: Adolf Belka <adolf.belka@ipfire.org> >>>> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> >>>> --- >>>> html/cgi-bin/chpasswd.cgi | 4 ++-- >>>> 1 file changed, 2 insertions(+), 2 deletions(-) >>>> >>>> diff --git a/html/cgi-bin/chpasswd.cgi b/html/cgi-bin/chpasswd.cgi >>>> index c00caca20..46c3e02f6 100644 >>>> --- a/html/cgi-bin/chpasswd.cgi >>>> +++ b/html/cgi-bin/chpasswd.cgi >>>> @@ -77,11 +77,11 @@ if ($cgiparams{'SUBMIT'} eq $tr{'advproxy chgwebpwd change password'}) >>>> # Check if a user with this name and password exists in the userdb file >>>> # and if it does then change the password to the new one >>>> my $user = &General::system_output("grep", "$cgiparams{'USERNAME'}", "$userdb"); >>>> - my $old_password = &General::system_output("/usr/bin/htpasswd", "-bv", "$userdb", "$cgiparams{'USERNAME'}", "$cgiparams{'OLD_PASSWORD'}"); >>>> + my @old_password = &General::system_output("/usr/bin/htpasswd", "-bv", "$userdb", "$cgiparams{'USERNAME'}", "$cgiparams{'OLD_PASSWORD'}"); >>>> if (!$user) { >>>> $errormessage = $tr{'advproxy errmsg invalid user'}; >>>> goto ERROR; >>>> - } elsif (!$old_password) { >>>> + } elsif (@old_password[0] =~ /password verification failed/) { >>>> $errormessage = $tr{'advproxy errmsg password incorrect'}; >>>> goto ERROR; >>>> } else { >>>> -- >>>> 2.49.0 >>>> >>>> >>> >>> > >
diff --git a/html/cgi-bin/chpasswd.cgi b/html/cgi-bin/chpasswd.cgi index c00caca20..46c3e02f6 100644 --- a/html/cgi-bin/chpasswd.cgi +++ b/html/cgi-bin/chpasswd.cgi @@ -77,11 +77,11 @@ if ($cgiparams{'SUBMIT'} eq $tr{'advproxy chgwebpwd change password'}) # Check if a user with this name and password exists in the userdb file # and if it does then change the password to the new one my $user = &General::system_output("grep", "$cgiparams{'USERNAME'}", "$userdb"); - my $old_password = &General::system_output("/usr/bin/htpasswd", "-bv", "$userdb", "$cgiparams{'USERNAME'}", "$cgiparams{'OLD_PASSWORD'}"); + my @old_password = &General::system_output("/usr/bin/htpasswd", "-bv", "$userdb", "$cgiparams{'USERNAME'}", "$cgiparams{'OLD_PASSWORD'}"); if (!$user) { $errormessage = $tr{'advproxy errmsg invalid user'}; goto ERROR; - } elsif (!$old_password) { + } elsif (@old_password[0] =~ /password verification failed/) { $errormessage = $tr{'advproxy errmsg password incorrect'}; goto ERROR; } else {