From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <development+bounces-340-archive=lists.ipfire.org@lists.ipfire.org>
Received: from mail02.haj.ipfire.org (localhost [127.0.0.1])
	by mail02.haj.ipfire.org (Postfix) with ESMTP id 4Zsw1n54Xcz3348
	for <archive@lists.ipfire.org>; Wed,  7 May 2025 12:44:13 +0000 (UTC)
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (secp384r1)
	 client-signature RSA-PSS (4096 bits))
	(Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK))
	by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4Zsw1k1Rwcz30L0
	for <development@lists.ipfire.org>; Wed,  7 May 2025 12:44:10 +0000 (UTC)
Received: from [127.0.0.1] (localhost [127.0.0.1])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by mail01.ipfire.org (Postfix) with ESMTPSA id 4Zsw1j4NJrz2Cv;
	Wed,  7 May 2025 12:44:09 +0000 (UTC)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org;
	s=202003ed25519; t=1746621849;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=3XKkKRIfGcnjDtIcyw6KqMHoYXmumrjorHa1E2/ii5I=;
	b=siWnsDSxM1xxwdbgNl2cu5OY8lNNarnbRvR5EmCoQ1J+9yL/rdQAqG6d/A0Uzn14Et3IGI
	DrIx/ZzJNSbup/Cw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa;
	t=1746621849;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=3XKkKRIfGcnjDtIcyw6KqMHoYXmumrjorHa1E2/ii5I=;
	b=XAyYzcZPA49lSWWM05cYTjJftEhI71xEgKycvuZplUupIouJ3yLbXDrR31pvBgCbaQpwfJ
	JR8fDlWhwrCVPYy2dUE3Vh6cv4jTk/azkrKqZQs3h3lx9vATlv/OpyVDyHVMSBhgrTBJUv
	fjGDWgZnfW3LtVSQDU7Xn9bOdYNm0AkAj8Zn47GKCXae65GTpa5hr64pgXPvVAVZ2/v59M
	SkaDkj+v8bvmQEsNnaG6Gf5IwAzSb2I9AF42aSlTyR5WngDtKDqfli5GsAdQGXNRrABSK2
	KL8mS5jv8NM3/WjIEjwZpewtI0/DszTllxK/49WFRa0vGxdkiwD2Bdp5zNRbLQ==
Content-Type: text/plain;
	charset=us-ascii
Precedence: list
List-Id: <development.lists.ipfire.org>
List-Subscribe: <https://lists.ipfire.org/>,
 <mailto:development+subscribe@lists.ipfire.org?subject=subscribe>
List-Unsubscribe: <https://lists.ipfire.org/>,
 <mailto:development+unsubscribe@lists.ipfire.org?subject=unsubscribe>
List-Post: <mailto:development@lists.ipfire.org>
List-Help: <mailto:development+help@lists.ipfire.org?subject=help>
Sender: <development@lists.ipfire.org>
Mail-Followup-To: <development@lists.ipfire.org>
Mime-Version: 1.0
Subject: Re: [PATCH v2] chpasswd.cgi: Fixes bug12755 - v2 with password
 verification correction
From: Michael Tremer <michael.tremer@ipfire.org>
In-Reply-To: <20250507124211.16762-1-adolf.belka@ipfire.org>
Date: Wed, 7 May 2025 13:44:09 +0100
Cc: development@lists.ipfire.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <11929F52-E93F-4C85-9704-51BFDC741FEA@ipfire.org>
References: <20250507124211.16762-1-adolf.belka@ipfire.org>
To: Adolf Belka <adolf.belka@ipfire.org>

Hello Adolf,

Thanks for the patch. Is there no return code that we get from htpasswd =
instead of parsing the output?

-Michael

> On 7 May 2025, at 13:42, Adolf Belka <adolf.belka@ipfire.org> wrote:
>=20
> - Realised that I had not tested the old password beinhg correct or =
not. Previous check
>   gave the same answer irrespective of the output coming from the =
htpasswd verification.
> - This changes the variable used for the system_output result to an =
array and then
>   checks if the first element contains the failure message that =
htpasswd gives if
>   password verification fails.
> - Tested out with correct and incorrect old passwords and gave the =
correct answer in
>   both cases. Confirmed also that the check for the user being present =
works correctly
>   for both an existing and new user name, which it did.
>=20
> Fixes: bug12755
> Tested-by: Adolf Belka <adolf.belka@ipfire.org>
> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
> ---
> html/cgi-bin/chpasswd.cgi | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>=20
> diff --git a/html/cgi-bin/chpasswd.cgi b/html/cgi-bin/chpasswd.cgi
> index c00caca20..46c3e02f6 100644
> --- a/html/cgi-bin/chpasswd.cgi
> +++ b/html/cgi-bin/chpasswd.cgi
> @@ -77,11 +77,11 @@ if ($cgiparams{'SUBMIT'} eq $tr{'advproxy =
chgwebpwd change password'})
>        # Check if a user with this name and password exists in the =
userdb file
>        # and if it does then change the password to the new one
>        my $user =3D &General::system_output("grep", =
"$cgiparams{'USERNAME'}", "$userdb");
> -       my $old_password =3D =
&General::system_output("/usr/bin/htpasswd", "-bv", "$userdb", =
"$cgiparams{'USERNAME'}", "$cgiparams{'OLD_PASSWORD'}");
> +       my @old_password =3D =
&General::system_output("/usr/bin/htpasswd", "-bv", "$userdb", =
"$cgiparams{'USERNAME'}", "$cgiparams{'OLD_PASSWORD'}");
>        if (!$user) {
>                $errormessage =3D $tr{'advproxy errmsg invalid user'};
>                goto ERROR;
> -       } elsif (!$old_password) {
> +       } elsif (@old_password[0] =3D~ /password verification failed/) =
{
>                 $errormessage =3D $tr{'advproxy errmsg password =
incorrect'};
>                 goto ERROR;
>        } else {
> --=20
> 2.49.0
>=20
>=20