go ahead... be a heretic | |
PerlMonks |
Item Description: A module to manage an apache .httpasswd or other Unix crypt-style password file.
Review Synopsis:
Apache's .htpasswd files consist of user/password pairs, one pair per line, eg:
username1:unixcryptpassword username2:unixcryptpassword
Drawbacks:There is no way to list all the users in a passwd file. There is no method to find out if a specific user has an account. The fetchInfo() method can be bent to this purpose, but it returns "0" for an invalid account, otherwsise any info that is stored for that user or undef, to test for a user I wrapped it in a sub like this-
sub is_user { my $user = shift || return; my $info = $htpasswd->fetchInfo($user); return 0 if ($info eq '0'); return 1; }
Sample code
#!/usr/bin/perl -wT # # BEGIN { # make the environment safe delete @ENV{qw(IFS CDPATH ENV BASH_ENV)}; $ENV{PATH} = ""; } use strict; use CGI; use CGI::Carp qw(fatalsToBrowser); use Apache::Htpasswd; my $cgi = new CGI; $|++; my %settings = (title => "htpasswd change page", dir => "/home/user/public_html/cgi-bin", htpasswd => ".htpasswd", fields => [ "old_passwd", "new_passwd", "new_passwd2 +" ], ); $settings{user} = $ENV{REMOTE_USER}; my $htpasswd = new Apache::Htpasswd("$settings{dir}/$settings{htpasswd +}"); print_page_headers($settings{title}); process_form(); print_form(); exit; sub process_form { return unless ( $cgi->param('change') ); my %data; for my $field ($cgi->param()){ if ( scalar grep /^\Q$field\E$/, @{$settings{fields}} ){ # its a field we know about my $tmp = substr($cgi->param($field), 0, 50); $tmp = lc($tmp) if ( $field eq "change_user_name" ); $data{$field} = $tmp || ''; } } if ( !$data{old_passwd} or !$data{new_passwd} or !$data{new_passwd2} + ){ print $cgi->p("You must fill out all fields!"); return; } if ( ! $htpasswd->htCheckPassword($settings{user}, $data{old_passwd} +) ){ print $cgi->p("Old password incorrect or invalid user name"); return; } if ( $data{new_passwd} eq $data{old_passwd} ){ print $cgi->p("New password must be different to old password!"); return; } if ( $data{new_passwd} ne $data{new_passwd2} ){ print $cgi->p("New passwords don't match!"); return; } if ( $data{new_passwd} !~ /^\S{6,8}$/ or $data{new_passwd} !~ /[^a-z +A-Z]+/ ){ print $cgi->p("New password must be 6-8 chars and contain at least + one number or punctuation character"); return; } $htpasswd->htpasswd($settings{user}, $data{new_passwd}, $data{old_pa +sswd}); if ( my $error = $htpasswd->error() ){ print $cgi->p("There was en error: [$error]"); } else { print $cgi->p("Password for $settings{user} was succesfully change +d"); } } sub print_page_headers { my $title = shift || "Page without a title"; print $cgi->header(); print $cgi->start_html($title); print $cgi->h2($title); print $cgi->hr(); return; } sub print_form { for (@{$settings{fields}} ){ $cgi->delete($_); } print $cgi->start_form(); print $cgi->b("Password Change for $settings{user}"); print $cgi->table({-border=>0}, $cgi->Tr( $cgi->td("Enter your ", $cgi->strong("old"), " password"), $cgi->td($cgi->password_field( -name => 'old_passwd', -value => '', -size => 10, -maxlength => 8))), $cgi->Tr($cgi->td("Enter your ", $cgi->strong("new"), " password"), $cgi->td($cgi->password_field( -name => 'new_passwd', -value => '', -size => 10, -maxlength => 10))), $cgi->Tr($cgi->td("Re-Enter your new password"), $cgi->td($cgi->password_field( -name => 'new_passwd2', -value => '', -size => 10, -maxlength => 10)), $cgi->td($cgi->submit( -name => 'change', -value => 'Change Password'))), ); print $cgi->end_form(), $cgi->hr(); print $cgi->end_html(); print "\n"; }
To prohibit downloading of your .htpasswd & associated files your .htaccess should look something like this:
AuthType Basic AuthName "Authorisation Required" AuthUserFile /path/to/.htpasswd <files ~ "^\.ht"> Order allow,deny Deny from all </files> <Limit GET POST> require user username </Limit>
|
---|
Replies are listed 'Best First'. | |
---|---|
Re: Apache::Htpasswd Module Review
by cjf (Parson) on Jul 01, 2002 at 07:53 UTC |