From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <development+bounces-339-archive=lists.ipfire.org@lists.ipfire.org>
Received: from mail02.haj.ipfire.org (localhost [127.0.0.1])
	by mail02.haj.ipfire.org (Postfix) with ESMTP id 4Zsvzb2b4Dz3348
	for <archive@lists.ipfire.org>; Wed,  7 May 2025 12:42:19 +0000 (UTC)
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK))
	by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4ZsvzW65vlz30L0
	for <development@lists.ipfire.org>; Wed,  7 May 2025 12:42:15 +0000 (UTC)
Received: from [127.0.0.1] (localhost [127.0.0.1])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by mail01.ipfire.org (Postfix) with ESMTPSA id 4ZsvzV5Y56z1Zd;
	Wed,  7 May 2025 12:42:14 +0000 (UTC)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org;
	s=202003ed25519; t=1746621734;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:
	 content-transfer-encoding:content-transfer-encoding;
	bh=8ckw4fuw0YqKVp7sL9HhnqGBCfHgpkOINiV2DGA+EVg=;
	b=o73Cn7xKJwVegWwcompwrydQwfZ51D9FCwJ4A/ukr1f7Qzctvm5JtbR6cIJr67ib1V3u0K
	EzMUBGfgw9WUn6CQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa;
	t=1746621734;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:
	 content-transfer-encoding:content-transfer-encoding;
	bh=8ckw4fuw0YqKVp7sL9HhnqGBCfHgpkOINiV2DGA+EVg=;
	b=o+dxOc6XItwuEapIVQg4hPaWabgvjgH/5xNMgyA/994EamLirRyRGpQGQCEoMyRkpYQFCP
	geM4kV37ALre1t/fFJgro25Yr6EkvlOprE1JrZV4ZwLq8hl5cS2xk6kLsvNCriPqJQdDvp
	0kemH4rFJkqXNJQap++5a8NUN9CLyrHKQhDrLpPphG28bQv8HZ3l71s297GKbiFdNpvcOm
	3r4J0INuxFeP/d5FP1Yk+QBfnQZE93FqYLRW34We9bz+pkQ5W5dh8z09paTByhH6MnYhMq
	CBTwNVoLj8By0yjeDjjGEqUall/atJZcXZoddxuo1G8X86KwerRYP+agp/9RjQ==
From: Adolf Belka <adolf.belka@ipfire.org>
To: development@lists.ipfire.org
Cc: Adolf Belka <adolf.belka@ipfire.org>
Subject: [PATCH v2] chpasswd.cgi: Fixes bug12755 - v2 with password verification correction
Date: Wed,  7 May 2025 14:42:11 +0200
Message-ID: <20250507124211.16762-1-adolf.belka@ipfire.org>
Precedence: list
List-Id: <development.lists.ipfire.org>
List-Subscribe: <https://lists.ipfire.org/>,
 <mailto:development+subscribe@lists.ipfire.org?subject=subscribe>
List-Unsubscribe: <https://lists.ipfire.org/>,
 <mailto:development+unsubscribe@lists.ipfire.org?subject=unsubscribe>
List-Post: <mailto:development@lists.ipfire.org>
List-Help: <mailto:development+help@lists.ipfire.org?subject=help>
Sender: <development@lists.ipfire.org>
Mail-Followup-To: <development@lists.ipfire.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

- Realised that I had not tested the old password beinhg correct or not. Previous check
   gave the same answer irrespective of the output coming from the htpasswd verification.
- This changes the variable used for the system_output result to an array and then
   checks if the first element contains the failure message that htpasswd gives if
   password verification fails.
- Tested out with correct and incorrect old passwords and gave the correct answer in
   both cases. Confirmed also that the check for the user being present works correctly
   for both an existing and new user name, which it did.

Fixes: bug12755
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
 html/cgi-bin/chpasswd.cgi | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/html/cgi-bin/chpasswd.cgi b/html/cgi-bin/chpasswd.cgi
index c00caca20..46c3e02f6 100644
--- a/html/cgi-bin/chpasswd.cgi
+++ b/html/cgi-bin/chpasswd.cgi
@@ -77,11 +77,11 @@ if ($cgiparams{'SUBMIT'} eq $tr{'advproxy chgwebpwd change password'})
        # Check if a user with this name and password exists in the userdb file
        # and if it does then change the password to the new one
        my $user = &General::system_output("grep", "$cgiparams{'USERNAME'}", "$userdb");
-       my $old_password = &General::system_output("/usr/bin/htpasswd", "-bv", "$userdb", "$cgiparams{'USERNAME'}", "$cgiparams{'OLD_PASSWORD'}");
+       my @old_password = &General::system_output("/usr/bin/htpasswd", "-bv", "$userdb", "$cgiparams{'USERNAME'}", "$cgiparams{'OLD_PASSWORD'}");
        if (!$user) {
                $errormessage = $tr{'advproxy errmsg invalid user'};
                goto ERROR;
-       } elsif (!$old_password) {
+       } elsif (@old_password[0] =~ /password verification failed/) {
                 $errormessage = $tr{'advproxy errmsg password incorrect'};
                 goto ERROR;
        } else {
-- 
2.49.0