Posted by Gordon Burditt on 07/13/05 05:22

>I invoked htpasswd by using the exec() function in PHP like this:
>exec("/usr/local/apache/current/bin/htpasswd -b .htpasswd $email
>$password");

Some warnings here:

1) If safe mode is on, you only get to run stuff out of a specific
directory, and all of the args get quoted into one big arg, which
won't work. And I'm not sure how you can make it work without
some kind of wrapper script in the safe mode execution directory.

2) This command gets passed to the shell, and as such, wildcards
get expanded by the shell. Expect trouble here if $password contains
stuff like *, ?, &, spaces, parentheses, brackets, braces, quotes,
semicolons, etc. The same goes for $email, but that's less likely
to have problems. Also, a password like:
foo`rm -rf *`bar
could wreak havoc.

Try:
$emailquoted = shellescapearg($email);
$passwordquoted = shellescapearg($password);
>exec("/usr/local/apache/current/bin/htpasswd -b .htpasswd $emailquoted
>$passwordquoted");

3) What is the current working directory when htpasswd is executed?
Are you sure? ".htpasswd" is a relative path name. Maybe you should
pass an absolute path name.

4) Are you sure you have permissions on htpasswd (the command) and all
of the directories up to /?

>when the same thing is entered at the command line:
>/usr/local/apache/current/bin/htpasswd -b .htpasswd my_email
>my_password
>it works!

Are you running as the same user that Apache runs as? If not, try
it that way.

>Do you think my problem here is the 777 mod on the .htpasswd file? I

No, the 777 is a reason why Apache might refuse to use it, not why
htpasswd would refuse to modify it. I think.

>figured I'd open it all the way for testing purposes, and lock it down
>after I get it running, but maybe I'm shooting myself in the foot.
>any suggestions?

Gordon L. Burditt

[Back to original message]