htpasswd.c revision 53593dbd8fece82cb66a23f0b7024d8d713d66f1
/* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
/******************************************************************************
******************************************************************************
* NOTE! This program is not safe as a setuid executable! Do not make it
* setuid!
******************************************************************************
*****************************************************************************/
/*
* htpasswd.c: simple program for manipulating password file for
* the Apache HTTP server
*
* Originally by Rob McCool
*
* Exit values:
* 0: Success
* 1: Failure; file access/permission problem
* 2: Failure; command line syntax problem (usage message issued)
* 3: Failure; password verification failure
* 4: Failure; operation interrupted (such as with CTRL/C)
* 5: Failure; buffer would overflow (username, filename, or computed
* record too long)
* 6: Failure; username contains illegal or reserved characters
* 7: Failure; file is not a valid htpasswd file
*/
#include "apr.h"
#include "apr_lib.h"
#include "apr_strings.h"
#include "apr_errno.h"
#include "apr_file_io.h"
#include "apr_general.h"
#include "apr_signal.h"
#if APR_HAVE_STDIO_H
#include <stdio.h>
#endif
#include "apr_md5.h"
#include "apr_sha1.h"
#include <time.h>
#if APR_HAVE_CRYPT_H
#include <crypt.h>
#endif
#include <stdlib.h>
#endif
#include <string.h>
#endif
#include <unistd.h>
#endif
#ifdef WIN32
#include <conio.h>
#endif
#if !APR_CHARSET_EBCDIC
#define LF 10
#define CR 13
#else /*APR_CHARSET_EBCDIC*/
#define LF '\n'
#define CR '\r'
#endif /*APR_CHARSET_EBCDIC*/
#define MAX_STRING_LEN 256
#define ALG_PLAIN 0
#define ALG_CRYPT 1
#define ALG_APMD5 2
#define ALG_APSHA 3
#define ERR_FILEPERM 1
#define ERR_SYNTAX 2
#define ERR_PWMISMATCH 3
#define ERR_INTERRUPTED 4
#define ERR_OVERFLOW 5
#define ERR_BADUSER 6
#define ERR_INVALID 7
#define APHTP_NEWFILE 1
#define APHTP_NOFILE 2
#define APHTP_NONINTERACTIVE 4
#define APHTP_DELUSER 8
#define NL APR_EOL_STR
static void to64(char *s, unsigned long v, int n)
{
static unsigned char itoa64[] = /* 0 ... 63 => ASCII - 64 */
"./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
while (--n >= 0) {
*s++ = itoa64[v&0x3f];
v >>= 6;
}
}
{
static unsigned char tbl[] =
"./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
size_t i;
for (i = 0; i < size; ++i) {
}
}
static apr_status_t seed_rand(void)
{
int seed = 0;
if (rv) {
return rv;
}
return rv;
}
static void putline(apr_file_t *f, const char *l)
{
rc = apr_file_puts(l, f);
if (rc != APR_SUCCESS) {
char errstr[MAX_STRING_LEN];
apr_file_close(f);
}
}
/*
* Make a password record from the given information. A zero return
* indicates success; failure means that the output buffer contains an
* error message instead.
*/
int alg)
{
char *pw;
char cpw[120];
char pwin[MAX_STRING_LEN];
char pwv[MAX_STRING_LEN];
char salt[9];
}
else {
return ERR_OVERFLOW;
}
return ERR_PWMISMATCH;
}
}
switch (alg) {
case ALG_APSHA:
/* XXX cpw >= 28 + strlen(sha1) chars - fixed len SHA */
break;
case ALG_APMD5:
if (seed_rand()) {
break;
}
break;
case ALG_PLAIN:
/* XXX this len limitation is not in sync with any HTTPd len. */
break;
case ALG_CRYPT:
default:
if (seed_rand()) {
break;
}
break;
#endif
}
/*
* Check to see if the buffer is large enough to hold the username,
* hash, and delimiters.
*/
return ERR_OVERFLOW;
}
return 0;
}
static void usage(void)
{
"stdout." NL);
" (default)"
"." NL);
"." NL);
"rather than prompting for it." NL);
"On other systems than Windows and NetWare the '-p' flag will "
"probably not work." NL);
"The SHA algorithm does not use a salt and is less secure than "
"the MD5 algorithm." NL);
}
/*
* Check to see if the specified file can be opened for the given
* access.
*/
{
apr_file_t *f = NULL;
return 0;
}
apr_file_close(f);
return 1;
}
/*
* Return true if the named file exists, regardless of permissions.
*/
{
}
static void terminate(void)
{
#ifdef NETWARE
pressanykey();
#endif
}
char **password)
{
const char *arg;
int args_left = 2;
int i;
/*
* Preliminary check to make sure they provided at least
* three arguments, we'll do better argument checking as
* we parse the command line.
*/
if (argc < 3) {
usage();
}
/*
* Go through the argument list and pick out any options. They
* have to precede any other arguments.
*/
for (i = 1; i < argc; i++) {
if (*arg != '-') {
break;
}
while (*++arg != '\0') {
if (*arg == 'c') {
*mask |= APHTP_NEWFILE;
}
else if (*arg == 'n') {
*mask |= APHTP_NOFILE;
args_left--;
}
else if (*arg == 'm') {
}
else if (*arg == 's') {
}
else if (*arg == 'p') {
}
else if (*arg == 'd') {
}
else if (*arg == 'b') {
*mask |= APHTP_NONINTERACTIVE;
args_left++;
}
else if (*arg == 'D') {
*mask |= APHTP_DELUSER;
}
else {
usage();
}
}
}
}
}
}
/*
* Make sure we still have exactly the right number of arguments left
* (the filename, the username, and possibly the password if -b was
* specified).
*/
usage();
}
if (*mask & APHTP_NOFILE) {
i--;
}
else {
}
}
}
}
if (*mask & APHTP_NONINTERACTIVE) {
argv[0], MAX_STRING_LEN);
}
}
}
/*
* Let's do it. We end up doing a lot of file opening and closing,
* but what do we care? This application isn't run constantly.
*/
{
char record[MAX_STRING_LEN];
char line[MAX_STRING_LEN];
char *pwfilename = NULL;
char tn[] = "htpasswd.tmp.XXXXXX";
char *dirname;
int found = 0;
int i;
int mask = 0;
int existing_file = 0;
#endif
if (rv) {
exit(1);
}
if (rv) {
exit(1);
}
if (rv) {
exit(1);
}
#endif /*APR_CHARSET_EBCDIC*/
}
#endif
"might just not work on this platform." NL);
}
#endif
/*
* Only do the file checks if we're supposed to frob it.
*/
if (!(mask & APHTP_NOFILE)) {
if (existing_file) {
/*
* Check that this existing file is readable and writable.
*/
}
}
else {
/*
* Error out if -c was omitted for this non-existant file.
*/
if (!(mask & APHTP_NEWFILE)) {
"%s: cannot modify file %s; use '-c' to create it" NL,
argv[0], pwfilename);
}
/*
* As it doesn't exist yet, verify that we can create it.
*/
argv[0], pwfilename);
}
}
}
/*
* All the file access checks (if any) have been made. Time to go to work;
* try to create the record for the username in question. If that
* fails, there's no need to waste any time on file manipulations.
* Any error message text is returned in the record buffer, since
* the mkrecord() routine doesn't have access to argv[].
*/
if (!(mask & APHTP_DELUSER)) {
if (i != 0) {
exit(i);
}
if (mask & APHTP_NOFILE) {
exit(0);
}
}
/*
* We can access the files the right way, and we have a record
* to add or update. Let's do it..
*/
argv[0]);
}
}
/*
* If we're not creating a new file, copy records from the existing
* one to the temporary file until we find the specified user.
*/
argv[0], pwfilename);
}
char *colon;
while (apr_isspace(*scratch)) {
++scratch;
}
continue;
}
/*
* See if this is our user.
*/
*colon = '\0';
}
else {
/*
* If we've not got a colon on the line, this could well
* not be a valid htpasswd file.
* We should bail at this point.
*/
"to be a valid htpasswd file." NL,
argv[0], pwfilename);
}
continue;
}
else {
if (!(mask & APHTP_DELUSER)) {
/* We found the user we were looking for.
* Add him to the file.
*/
found++;
}
else {
/* We found the user we were looking for.
* Delete them from the file.
*/
found++;
}
}
}
}
}
exit(0);
}
/* The temporary file has all the data, just copy it to the new location.
*/
APR_SUCCESS) {
argv[0], pwfilename);
}
return 0;
}