http://qs1969.pair.com?node_id=178482

Item Description: A module to manage an apache .httpasswd or other Unix crypt-style password file.

Review Synopsis:

Apache's .htpasswd files consist of user/password pairs, one pair per line, eg:

username1:unixcryptpassword username2:unixcryptpassword

The Apache::Htpasswd module provides the methods you will need to manage user accounts within .htpasswd (or other password files with the same format)- add and remove users, set & reset passwords. The module provides only an object orientated interface. For a more complete user management solution you may want to look at HTTPD::UserAdmin but for customised user management and integration with your site Apache::Htpasswd is a great tool.

Drawbacks:There is no way to list all the users in a passwd file. There is no method to find out if a specific user has an account. The fetchInfo() method can be bent to this purpose, but it returns "0" for an invalid account, otherwsise any info that is stored for that user or undef, to test for a user I wrapped it in a sub like this-

sub is_user { my $user = shift || return; my $info = $htpasswd->fetchInfo($user); return 0 if ($info eq '0'); return 1; }

Sample code

Here is a sample CGI script to allow a user to change their own password. It requires the user to know their own password first. This script should be run from within a .htaccess protected directory! It uses the $ENV{REMOTE_USER} variable which can be manipulated by an "attacker" however they would still then need to know the existing password for any user they specify.

#!/usr/bin/perl -wT # # BEGIN { # make the environment safe delete @ENV{qw(IFS CDPATH ENV BASH_ENV)}; $ENV{PATH} = ""; } use strict; use CGI; use CGI::Carp qw(fatalsToBrowser); use Apache::Htpasswd; my $cgi = new CGI; $|++; my %settings = (title => "htpasswd change page", dir => "/home/user/public_html/cgi-bin", htpasswd => ".htpasswd", fields => [ "old_passwd", "new_passwd", "new_passwd2 +" ], ); $settings{user} = $ENV{REMOTE_USER}; my $htpasswd = new Apache::Htpasswd("$settings{dir}/$settings{htpasswd +}"); print_page_headers($settings{title}); process_form(); print_form(); exit; sub process_form { return unless ( $cgi->param('change') ); my %data; for my $field ($cgi->param()){ if ( scalar grep /^\Q$field\E$/, @{$settings{fields}} ){ # its a field we know about my $tmp = substr($cgi->param($field), 0, 50); $tmp = lc($tmp) if ( $field eq "change_user_name" ); $data{$field} = $tmp || ''; } } if ( !$data{old_passwd} or !$data{new_passwd} or !$data{new_passwd2} + ){ print $cgi->p("You must fill out all fields!"); return; } if ( ! $htpasswd->htCheckPassword($settings{user}, $data{old_passwd} +) ){ print $cgi->p("Old password incorrect or invalid user name"); return; } if ( $data{new_passwd} eq $data{old_passwd} ){ print $cgi->p("New password must be different to old password!"); return; } if ( $data{new_passwd} ne $data{new_passwd2} ){ print $cgi->p("New passwords don't match!"); return; } if ( $data{new_passwd} !~ /^\S{6,8}$/ or $data{new_passwd} !~ /[^a-z +A-Z]+/ ){ print $cgi->p("New password must be 6-8 chars and contain at least + one number or punctuation character"); return; } $htpasswd->htpasswd($settings{user}, $data{new_passwd}, $data{old_pa +sswd}); if ( my $error = $htpasswd->error() ){ print $cgi->p("There was en error: [$error]"); } else { print $cgi->p("Password for $settings{user} was succesfully change +d"); } } sub print_page_headers { my $title = shift || "Page without a title"; print $cgi->header(); print $cgi->start_html($title); print $cgi->h2($title); print $cgi->hr(); return; } sub print_form { for (@{$settings{fields}} ){ $cgi->delete($_); } print $cgi->start_form(); print $cgi->b("Password Change for $settings{user}"); print $cgi->table({-border=>0}, $cgi->Tr( $cgi->td("Enter your ", $cgi->strong("old"), " password"), $cgi->td($cgi->password_field( -name => 'old_passwd', -value => '', -size => 10, -maxlength => 8))), $cgi->Tr($cgi->td("Enter your ", $cgi->strong("new"), " password"), $cgi->td($cgi->password_field( -name => 'new_passwd', -value => '', -size => 10, -maxlength => 10))), $cgi->Tr($cgi->td("Re-Enter your new password"), $cgi->td($cgi->password_field( -name => 'new_passwd2', -value => '', -size => 10, -maxlength => 10)), $cgi->td($cgi->submit( -name => 'change', -value => 'Change Password'))), ); print $cgi->end_form(), $cgi->hr(); print $cgi->end_html(); print "\n"; }

To prohibit downloading of your .htpasswd & associated files your .htaccess should look something like this:

AuthType Basic AuthName "Authorisation Required" AuthUserFile /path/to/.htpasswd <files ~ "^\.ht"> Order allow,deny Deny from all </files> <Limit GET POST> require user username </Limit>

Replies are listed 'Best First'.
Re: Apache::Htpasswd Module Review
by cjf (Parson) on Jul 01, 2002 at 07:53 UTC

    Nice review++

    For another example script using Apache::Htpasswd see Modify .htaccess files which I posted a while back (read: the code might suck, use at your own risk ;). There are also a couple good replies in the thread suggesting alternatives.