From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4ZtXZl4QcDz311t for ; Thu, 8 May 2025 13:11:27 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4ZtXZh0k9Qz2ybk for ; Thu, 8 May 2025 13:11:24 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4ZtXZg1dhxzlq; Thu, 8 May 2025 13:11:23 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1746709883; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=+y0AuFL2llX30gBy++WAto+fkjJZ5FsghoGSlqgQMes=; b=byyaFoFV2hPekXAcuGUo9+WeSMYjUlFQB4pYWYdxloQRYPgo72NczU1e1KjmkU3FC3CJXs XfQy8eiQNGIZvPDw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1746709883; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=+y0AuFL2llX30gBy++WAto+fkjJZ5FsghoGSlqgQMes=; b=tmWOi0NO8SYPXEUw3LNPKUoLajmMp7kOm0xBIF7/YCGLEEasQoLKPKRFam4BmVvfWAF1HQ +JIaD0271RFHx5AQuI4v5Tppz86VMhFL8sBtUjOeF88CHd5qEtzXg0SI1PoY24vM5Ks+aM 7iidlELRxEMqlPqvzylpA07NJel443csmazKHeSZA38+JNET3nBu/zNdRPqC42ZtGbO+kl 4MwXyapvP/C/2GGgDbztrfYvROEw0tILNDDSNMDJQfWrh0jn1BgPXG4ChLC93VFQiIHerM GYy1CoXTlmcZ6m3sOuBbqlsDjniuqRpST4/ZJcFXHLbK8ffJxkQAKfpu2ynquw== Content-Type: text/plain; charset=utf-8 Precedence: list List-Id: List-Subscribe: , List-Unsubscribe: , List-Post: List-Help: Sender: Mail-Followup-To: Mime-Version: 1.0 Subject: Re: [PATCH v2] chpasswd.cgi: Fixes bug12755 - v2 with password verification correction From: Michael Tremer In-Reply-To: <6966b86b-92a6-4a60-99c8-3d1241acd621@ipfire.org> Date: Thu, 8 May 2025 14:11:22 +0100 Cc: "IPFire: Development-List" Content-Transfer-Encoding: quoted-printable Message-Id: <9F12B0CD-6DF6-4758-8C11-75795D30EB63@ipfire.org> References: <20250507124211.16762-1-adolf.belka@ipfire.org> <11929F52-E93F-4C85-9704-51BFDC741FEA@ipfire.org> <6966b86b-92a6-4a60-99c8-3d1241acd621@ipfire.org> To: Adolf Belka Hello Adolf, I just gave this a try: ipfire build chroot (x86_64) root:~$ htpasswd -vb /var/ipfire/auth/users = admin ipfire; echo $? User admin not found 6 ipfire build chroot (x86_64) root:~$ htpasswd -b /var/ipfire/auth/users = admin ipfire Adding password for user admin ipfire build chroot (x86_64) root:~$ htpasswd -vb /var/ipfire/auth/users = admin ipfire; echo $? Password for user admin correct. 0 ipfire build chroot (x86_64) root:~$ htpasswd -vb /var/ipfire/auth/users = admin ipfire2; echo $? password verification failed 3 ipfire build chroot (x86_64) root:~$ htpasswd -vb /var/ipfire/auth/users = admin2 ipfire2; echo $? User admin2 not found 6 This is in the dev system, so the password file was empty to start with. Basically if the username and password match the return code is zero. If = something else happened it isn=E2=80=99t. And this is exactly what I = would check for: Okay on zero, not okay on anything else. I would not = even case why htpasswd was upset because it does not matter in our = use-case. -Michael > On 7 May 2025, at 15:02, Adolf Belka wrote: >=20 > Hi Michael, >=20 > On 07/05/2025 15:52, Adolf Belka wrote: >> Hi Michael, >> On 07/05/2025 14:44, Michael Tremer wrote: >>> Hello Adolf, >>>=20 >>> Thanks for the patch. Is there no return code that we get from = htpasswd instead of parsing the output? >> It gives a return code for everything, with numbers of 0 to 7, except = for the use of the -v option to verify the password. > There might be a status code returned. The man page says >=20 > 3 if the password was entered interactively and the verification entry = didn't match >=20 > but elsewhere it does suggest that interactively is not via the -bv = option but where you just use -v and manually type the password when = requested on the command line. >=20 > If the status 3 is a valid status code, how can I access that from the = output of the &General::system_output subroutine? >=20 > I could give it a try out and if it does work then I could do a v3 = patch. >=20 > Regards, >=20 > Adolf. >=20 >> This gives >> password verification failed >> if the existing password for the specified user is not correct and >> Password for user fred correct. >> if the user specified was fred and the specified password was = correct. >> It does the above for both the interactive -v and the batch mode = using the command line of -bv >> I had to use the check for if the string was found in the return = variable because if I checked if the string matched the contents of the = variable it always failed so I think there is a hidden Carriage Return = or something in the output from htpasswd for the verification test. >> Regards, >> Adolf. >>>=20 >>> -Michael >>>=20 >>>> On 7 May 2025, at 13:42, Adolf Belka = wrote: >>>>=20 >>>> - Realised that I had not tested the old password beinhg correct or = not. Previous check >>>> gave the same answer irrespective of the output coming from the = htpasswd verification. >>>> - This changes the variable used for the system_output result to an = array and then >>>> checks if the first element contains the failure message that = htpasswd gives if >>>> password verification fails. >>>> - Tested out with correct and incorrect old passwords and gave the = correct answer in >>>> both cases. Confirmed also that the check for the user being = present works correctly >>>> for both an existing and new user name, which it did. >>>>=20 >>>> Fixes: bug12755 >>>> Tested-by: Adolf Belka >>>> Signed-off-by: Adolf Belka >>>> --- >>>> html/cgi-bin/chpasswd.cgi | 4 ++-- >>>> 1 file changed, 2 insertions(+), 2 deletions(-) >>>>=20 >>>> diff --git a/html/cgi-bin/chpasswd.cgi b/html/cgi-bin/chpasswd.cgi >>>> index c00caca20..46c3e02f6 100644 >>>> --- a/html/cgi-bin/chpasswd.cgi >>>> +++ b/html/cgi-bin/chpasswd.cgi >>>> @@ -77,11 +77,11 @@ if ($cgiparams{'SUBMIT'} eq $tr{'advproxy = chgwebpwd change password'}) >>>> # Check if a user with this name and password exists in the = userdb file >>>> # and if it does then change the password to the new one >>>> my $user =3D &General::system_output("grep", = "$cgiparams{'USERNAME'}", "$userdb"); >>>> - my $old_password =3D = &General::system_output("/usr/bin/htpasswd", "-bv", "$userdb", = "$cgiparams{'USERNAME'}", "$cgiparams{'OLD_PASSWORD'}"); >>>> + my @old_password =3D = &General::system_output("/usr/bin/htpasswd", "-bv", "$userdb", = "$cgiparams{'USERNAME'}", "$cgiparams{'OLD_PASSWORD'}"); >>>> if (!$user) { >>>> $errormessage =3D $tr{'advproxy errmsg invalid = user'}; >>>> goto ERROR; >>>> - } elsif (!$old_password) { >>>> + } elsif (@old_password[0] =3D~ /password verification = failed/) { >>>> $errormessage =3D $tr{'advproxy errmsg password = incorrect'}; >>>> goto ERROR; >>>> } else { >>>> --=20 >>>> 2.49.0 >>>>=20 >>>>=20 >>>=20 >>>=20 >=20 >=20