From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4Zv7cf3PHbz334Q for ; Fri, 9 May 2025 12:30:10 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4Zv7cZ6tkcz2y59 for ; Fri, 9 May 2025 12:30:06 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4Zv7cZ1CsGz2XJ; Fri, 9 May 2025 12:30:06 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1746793806; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=nWjb+MxML26OlCR9XNcd15fX/YZGHp34IR6Ko7y3f2Q=; b=MT68MNENxkFdhQ7D5CeOaFgbpTqvCLhT4biS9YkX0+o8+n9WKrL2NQf2q62RrkhVWLlsfW JMAEPlAD5L0TsdDQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1746793806; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=nWjb+MxML26OlCR9XNcd15fX/YZGHp34IR6Ko7y3f2Q=; b=guzJhbylFbpWpfiUObOm1nOuBW37tqZEuEdUhWDS3r8OLZBvi4AyDOaicmoIMZM40LSzwT HNuJin7dhu4oY8uxAg5r3IkrvQ3jHryAezBRAK8POP1QkOSl+RW3NRJO5lLzn6MXF/Z++T 5d7CJbxtrGVsBe5OhyFQvQ0Zpc1Sp3vo5+Ol3GnsC4E1f2Bgr8NSCWY1gmJrDvvl3dM+vI mycKH7IBlq/l8ev9yz+Owtj8xuWgxUBU3z2Gxj3yLHXC8p6fRlK/NZKYHifmnK5ymynXT9 n8vrL2GVUn0SyHg0mBvglvsPe10zUz4414pK5ORBrbbD08Iz/Cij/0ptM5X6sA== Content-Type: text/plain; charset=utf-8 Precedence: list List-Id: List-Subscribe: , List-Unsubscribe: , List-Post: List-Help: Sender: Mail-Followup-To: Mime-Version: 1.0 Subject: Re: [PATCH v2] chpasswd.cgi: Fixes bug12755 - v2 with password verification correction From: Michael Tremer In-Reply-To: Date: Fri, 9 May 2025 13:30:05 +0100 Cc: "IPFire: Development-List" Content-Transfer-Encoding: quoted-printable Message-Id: <976976E9-DC51-4E47-BC09-49953DAC1259@ipfire.org> References: <20250507124211.16762-1-adolf.belka@ipfire.org> <11929F52-E93F-4C85-9704-51BFDC741FEA@ipfire.org> <6966b86b-92a6-4a60-99c8-3d1241acd621@ipfire.org> <9F12B0CD-6DF6-4758-8C11-75795D30EB63@ipfire.org> To: Adolf Belka Hello Adolf, > On 9 May 2025, at 13:15, Adolf Belka wrote: >=20 > Hi Michael, >=20 > On 08/05/2025 15:11, Michael Tremer wrote: >> Hello Adolf, >> I just gave this a try: >> ipfire build chroot (x86_64) root:~$ htpasswd -vb = /var/ipfire/auth/users admin ipfire; echo $? >> User admin not found >> 6 >> ipfire build chroot (x86_64) root:~$ htpasswd -b = /var/ipfire/auth/users admin ipfire >> Adding password for user admin >> ipfire build chroot (x86_64) root:~$ htpasswd -vb = /var/ipfire/auth/users admin ipfire; echo $? >> Password for user admin correct. >> 0 >> ipfire build chroot (x86_64) root:~$ htpasswd -vb = /var/ipfire/auth/users admin ipfire2; echo $? >> password verification failed >> 3 >> ipfire build chroot (x86_64) root:~$ htpasswd -vb = /var/ipfire/auth/users admin2 ipfire2; echo $? >> User admin2 not found >> 6 >> This is in the dev system, so the password file was empty to start = with. >> Basically if the username and password match the return code is zero. = If something else happened it isn=E2=80=99t. And this is exactly what I = would check for: Okay on zero, not okay on anything else. I would not = even case why htpasswd was upset because it does not matter in our = use-case. >=20 > Okay, so the $? contains the status of the bash command htpasswd but = how do I access that via the perl system_output command. I have tried = making the result of the system_output command be fed to a $variable but = I just get a 1 for all the different conditions you tried. > I also tried making the system_output command be fed to an array = variable and then printing all the elements of that array variable out = but there was no status value. You don=E2=80=99t use the system_output() function, you should use the = &General::system() function. On there, we fetch the return code and = return it: = https://git.ipfire.org/?p=3Dipfire-2.x.git;a=3Dblob;f=3Dconfig/cfgroot/gen= eral-functions.pl;h=3D8ba6e3f79f0a9660ba8f8630ad0c7f1a3f6c988d;hb=3DHEAD#l= 32 Perl stores the value in $? like bash, but weirdly shifts it by 8 bits, = so we have to shift it back. So your code should read a bit like: if (&General::system(=E2=80=9Chtpasswd=E2=80=9D, =E2=80=9C-B=E2=80=9D, = =E2=80=A6) =3D=3D 0) { // success } else { // fail } > It will probably turn out to be very simple but I am afraid I am not = having any luck figuring out how to do it. Not a problem :) The &General::system_output() function does not return the return code = because it is already returning the output of the command. If the = command fails there won't be any output - and that is not a very good = way to check things normally. -Michael > All feedback gladly welcomed. >=20 > Regards, > Adolf. >=20 >> -Michael >>> On 7 May 2025, at 15:02, Adolf Belka wrote: >>>=20 >>> Hi Michael, >>>=20 >>> On 07/05/2025 15:52, Adolf Belka wrote: >>>> Hi Michael, >>>> On 07/05/2025 14:44, Michael Tremer wrote: >>>>> Hello Adolf, >>>>>=20 >>>>> Thanks for the patch. Is there no return code that we get from = htpasswd instead of parsing the output? >>>> It gives a return code for everything, with numbers of 0 to 7, = except for the use of the -v option to verify the password. >>> There might be a status code returned. The man page says >>>=20 >>> 3 if the password was entered interactively and the verification = entry didn't match >>>=20 >>> but elsewhere it does suggest that interactively is not via the -bv = option but where you just use -v and manually type the password when = requested on the command line. >>>=20 >>> If the status 3 is a valid status code, how can I access that from = the output of the &General::system_output subroutine? >>>=20 >>> I could give it a try out and if it does work then I could do a v3 = patch. >>>=20 >>> Regards, >>>=20 >>> Adolf. >>>=20 >>>> This gives >>>> password verification failed >>>> if the existing password for the specified user is not correct and >>>> Password for user fred correct. >>>> if the user specified was fred and the specified password was = correct. >>>> It does the above for both the interactive -v and the batch mode = using the command line of -bv >>>> I had to use the check for if the string was found in the return = variable because if I checked if the string matched the contents of the = variable it always failed so I think there is a hidden Carriage Return = or something in the output from htpasswd for the verification test. >>>> Regards, >>>> Adolf. >>>>>=20 >>>>> -Michael >>>>>=20 >>>>>> On 7 May 2025, at 13:42, Adolf Belka = wrote: >>>>>>=20 >>>>>> - Realised that I had not tested the old password beinhg correct = or not. Previous check >>>>>> gave the same answer irrespective of the output coming from = the htpasswd verification. >>>>>> - This changes the variable used for the system_output result to = an array and then >>>>>> checks if the first element contains the failure message that = htpasswd gives if >>>>>> password verification fails. >>>>>> - Tested out with correct and incorrect old passwords and gave = the correct answer in >>>>>> both cases. Confirmed also that the check for the user being = present works correctly >>>>>> for both an existing and new user name, which it did. >>>>>>=20 >>>>>> Fixes: bug12755 >>>>>> Tested-by: Adolf Belka >>>>>> Signed-off-by: Adolf Belka >>>>>> --- >>>>>> html/cgi-bin/chpasswd.cgi | 4 ++-- >>>>>> 1 file changed, 2 insertions(+), 2 deletions(-) >>>>>>=20 >>>>>> diff --git a/html/cgi-bin/chpasswd.cgi = b/html/cgi-bin/chpasswd.cgi >>>>>> index c00caca20..46c3e02f6 100644 >>>>>> --- a/html/cgi-bin/chpasswd.cgi >>>>>> +++ b/html/cgi-bin/chpasswd.cgi >>>>>> @@ -77,11 +77,11 @@ if ($cgiparams{'SUBMIT'} eq $tr{'advproxy = chgwebpwd change password'}) >>>>>> # Check if a user with this name and password exists in = the userdb file >>>>>> # and if it does then change the password to the new one >>>>>> my $user =3D &General::system_output("grep", = "$cgiparams{'USERNAME'}", "$userdb"); >>>>>> - my $old_password =3D = &General::system_output("/usr/bin/htpasswd", "-bv", "$userdb", = "$cgiparams{'USERNAME'}", "$cgiparams{'OLD_PASSWORD'}"); >>>>>> + my @old_password =3D = &General::system_output("/usr/bin/htpasswd", "-bv", "$userdb", = "$cgiparams{'USERNAME'}", "$cgiparams{'OLD_PASSWORD'}"); >>>>>> if (!$user) { >>>>>> $errormessage =3D $tr{'advproxy errmsg invalid = user'}; >>>>>> goto ERROR; >>>>>> - } elsif (!$old_password) { >>>>>> + } elsif (@old_password[0] =3D~ /password verification = failed/) { >>>>>> $errormessage =3D $tr{'advproxy errmsg password = incorrect'}; >>>>>> goto ERROR; >>>>>> } else { >>>>>> --=20 >>>>>> 2.49.0