[packages/cvs.git] / cvs-debian-dsa-ext-pwd.patch

# Add support for overriding lookups in CVSROOT/passwd
# Specify --password-file <file> on the pserver command line to use it
# Initial patch from the Debian DSA team, adapted by Steve McIntyre.
# See README.Debian for more details.
diff -ruN cvs-1.12.13-old/src/cvs.h cvs-1.12.13/src/cvs.h
--- cvs-1.12.13-old/src/cvs.h	2005-10-02 16:17:20.000000000 +0100
+++ cvs-1.12.13/src/cvs.h	2006-08-19 01:20:33.000000000 +0100
@@ -371,6 +371,7 @@
 extern int use_editor;
 extern int cvswrite;
 extern mode_t cvsumask;
+extern char *PasswordFileName;
 
 /* Temp dir abstraction.  */
 /* From main.c.  */
diff -ruN cvs-1.12.13-old/src/main.c cvs-1.12.13/src/main.c
--- cvs-1.12.13-old/src/main.c	2006-08-17 00:25:16.000000000 +0100
+++ cvs-1.12.13/src/main.c	2006-08-19 01:20:03.000000000 +0100
@@ -43,8 +43,7 @@
 int noexec = 0;
 int readonlyfs = 0;
 int logoff = 0;
-
-
+char *PasswordFileName = NULL;
 
 /***
  ***
@@ -519,6 +518,7 @@
 	{"help-commands", 0, NULL, 1},
 	{"help-synonyms", 0, NULL, 2},
 	{"help-options", 0, NULL, 4},
+	{"password-file", required_argument, NULL, 5},
 #ifdef SERVER_SUPPORT
 	{"allow-root", required_argument, NULL, 3},
 #endif /* SERVER_SUPPORT */
@@ -646,6 +646,10 @@
 		root_allow_add (optarg, gConfigPath);
 		break;
 #endif /* SERVER_SUPPORT */
+	    case 5:
+		/* --password-file */
+        PasswordFileName = xstrdup(optarg);
+		break;
 	    case 'Q':
 		really_quiet = 1;
 		/* FALL THROUGH */
diff -ruN cvs-1.12.13-old/src/Makefile.in cvs-1.12.13/src/Makefile.in
--- cvs-1.12.13-old/src/Makefile.in	2005-10-03 14:37:18.000000000 +0100
+++ cvs-1.12.13/src/Makefile.in	2006-08-17 00:28:35.000000000 +0100
@@ -146,7 +146,7 @@
 	ls.$(OBJEXT) main.$(OBJEXT) mkmodules.$(OBJEXT) \
 	modules.$(OBJEXT) ms-buffer.$(OBJEXT) myndbm.$(OBJEXT) \
 	no_diff.$(OBJEXT) parseinfo.$(OBJEXT) patch.$(OBJEXT) \
-	rcs.$(OBJEXT) rcscmds.$(OBJEXT) recurse.$(OBJEXT) \
+	rcs.$(OBJEXT) rcscmds.$(OBJEXT) readpw.$(OBJEXT) recurse.$(OBJEXT) \
 	release.$(OBJEXT) remove.$(OBJEXT) repos.$(OBJEXT) \
 	root.$(OBJEXT) rsh-client.$(OBJEXT) run.$(OBJEXT) \
 	scramble.$(OBJEXT) server.$(OBJEXT) stack.$(OBJEXT) \
@@ -349,6 +349,7 @@
 	patch.c \
 	rcs.c \
 	rcscmds.c \
+	readpw.c \
 	recurse.c \
 	release.c \
 	remove.c \
@@ -543,6 +544,7 @@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/patch.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/rcs.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/rcscmds.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/readpw.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/recurse.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/release.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/remove.Po@am__quote@
diff -ruN cvs-1.12.13-old/src/parseinfo.h cvs-1.12.13/src/parseinfo.h
--- cvs-1.12.13-old/src/parseinfo.h	2006-08-17 00:25:16.000000000 +0100
+++ cvs-1.12.13/src/parseinfo.h	2006-08-17 00:58:25.000000000 +0100
@@ -21,6 +21,7 @@
     char *HistoryLogPath;
     char *HistorySearchPath;
     char *TmpDir;
+    char *PasswordFileName;
 
     /* Should the logmsg be re-read during the do_verify phase?
      * RereadLogAfterVerify=no|stat|yes
diff -ruN cvs-1.12.13-old/src/readpw.c cvs-1.12.13/src/readpw.c
--- cvs-1.12.13-old/src/readpw.c	1970-01-01 01:00:00.000000000 +0100
+++ cvs-1.12.13/src/readpw.c	2006-08-19 01:45:26.000000000 +0100
@@ -0,0 +1,158 @@
+/*
+    readpw.c - read the CVS password from an external file
+    Copyright (c) 2006  Martin Schulze <joey@infodrom.org>
+
+    This program is free software; you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation; either version 2 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with this program; if not, write to the Free Software
+    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+*/
+
+#include <string.h>
+#include <stdio.h>
+#include <errno.h>
+#include <syslog.h>
+
+#define PWFILE "/tmp/work/cvs/cvs.passwd"
+
+/*
+ * Source: control_nextline() in dtaus.c from dtaus
+ */
+size_t readline (FILE *f, char **buf, unsigned int len)
+{
+  char line[100];
+  char tmp[100];
+  char *cp;
+  int i;
+
+  memset (line, 0, sizeof(line));
+  memset (*buf, 0, len);
+
+  cp = line;
+
+  while (!strlen(line) && (cp = fgets(line, 100, f))) {
+    if (strlen(line)) {
+      if (line[0] != '#') {
+        if (line[strlen(line)-1] != '\n') {
+          strcpy(tmp, line);
+          while (tmp[strlen(tmp)-1] != '\n' && (cp = fgets(tmp, 100, f)));
+        } else
+          line[strlen(line)-1] = '\0';
+        if (line[strlen(line)-1] == '\r')
+          line[strlen(line)-1] = '\0';
+        for (i=strlen(line);(line[i-1] == ' '||line[i-1] == '\t')&&i>0; i--)
+          line[i-1] = '\0';
+      } else
+        line[0] = '\0';
+    }
+  }
+  for (cp=line; *cp==' '; cp++);
+
+  if (strlen(cp)) {
+    memcpy(*buf, cp, strlen(cp) >= len ? len-1 : strlen(cp));
+    return (strlen (cp));
+  } else
+    return 0;
+}
+
+#define MAXLINE 100
+#define PWLEN 20
+
+char *getpwline (const char *fname, const char *repository, const char *logname)
+{
+  FILE *f;
+  char buf[MAXLINE], *bp = buf;
+  static char line[MAXLINE];
+  int inrepo = 0;
+  char *cp;
+
+  memset (line, 0, sizeof (line));
+
+  if ((f = fopen (fname, "r")) == NULL) {
+    perror ("fopen");
+    return line;
+  }
+
+  while (readline (f, &bp, 50)) {
+    if (buf[0] == '/') {
+        syslog(LOG_ERR, "Looking for repo %s in %s\n", repository, buf);
+      if (!inrepo && !strcmp (buf, repository))
+      {
+          syslog(LOG_ERR, "matched repository %s\n", repository);
+          inrepo = 1;
+      }
+      else if (inrepo)
+       inrepo = 0;
+    } else {
+      if (inrepo) {
+       if ((cp = strchr (buf, ':')) != NULL) {
+         if ( (cp - buf) == strlen (logname)
+              && !strncmp (buf, logname, strlen (logname))) {
+           memcpy (line, buf, strlen(buf) >= MAXLINE ? MAXLINE-1 : strlen(buf));
+         }
+       }
+      }
+    }
+  }
+  
+  if (ferror (f))
+    perror ("ferror");
+  if (fclose (f) < 0)
+    perror ("fclose");
+
+  return line;
+}
+
+/*
+*****************************************************************
+ */
+#ifdef TEST_READPW
+
+void getpasswd (const char *fname, const char *repository, const char *logname, char **pw, char **user)
+{
+  char *line;
+  char *cp, *xp;
+
+  memset (*pw, 0, PWLEN);
+  memset (*user, 0, PWLEN);
+
+  line = getpwline(fname, repository, logname);
+
+  if (line[0] == '\0')
+    return;
+
+  cp = strchr (line, ':');
+  cp++;
+
+  if ((xp = strchr (cp, ':')) != NULL) {
+    memcpy (*pw, cp, xp-cp >= PWLEN ? PWLEN-1 : xp-cp);
+    
+    xp++;
+
+    if (strlen (xp))
+      memcpy (*user, xp, strlen(xp) >= PWLEN ? PWLEN-1 : strlen(xp));
+  }
+}
+
+int main ()
+{
+  char pw[PWLEN], *ppw = pw;
+  char cvsuser[PWLEN], *pcu = cvsuser;
+
+  getpasswd (PWFILE, "/cvs/debian-doc", "jseidel", &ppw, &pcu);
+
+  printf ("%s<:>%s\n", pw, cvsuser);
+  printf ("XXXXXXXXXXXXX\n");
+
+  return 0;
+}
+#endif /*TEST_READPW */
diff -ruN cvs-1.12.13-old/src/server.c cvs-1.12.13/src/server.c
--- cvs-1.12.13-old/src/server.c	2006-08-17 00:25:16.000000000 +0100
+++ cvs-1.12.13/src/server.c	2006-08-20 00:31:22.000000000 +0100
@@ -22,6 +22,8 @@
 
 int server_active = 0;
 
+char *getpwline (const char *fname, const char *repository, const char *logname);
+
 #if defined (SERVER_SUPPORT) || defined (CLIENT_SUPPORT)
 
 # include "log-buffer.h"
@@ -6689,51 +6691,71 @@
 {
     int retval = 0;
     FILE *fp;
-    char *filename;
+    char *filename = NULL;
+    char *cp;
     char *linebuf = NULL;
     size_t linebuf_len;
     int found_it = 0;
     int namelen;
 
-    /* We don't use current_parsed_root->directory because it hasn't been
-     * set yet -- our `repository' argument came from the authentication
-     * protocol, not the regular CVS protocol.
-     */
-
-    filename = xmalloc (strlen (repository)
-			+ 1
-			+ strlen (CVSROOTADM)
-			+ 1
-			+ strlen (CVSROOTADM_PASSWD)
-			+ 1);
+    if (!PasswordFileName)
+    {
+        /* We don't use current_parsed_root->directory because it hasn't been
+         * set yet -- our `repository' argument came from the authentication
+         * protocol, not the regular CVS protocol.
+         */
+
+        filename = xmalloc (strlen (repository)
+                            + 1
+                            + strlen (CVSROOTADM)
+                            + 1
+                            + strlen (CVSROOTADM_PASSWD)
+                            + 1);
 
-    (void) sprintf (filename, "%s/%s/%s", repository,
-		    CVSROOTADM, CVSROOTADM_PASSWD);
+        (void) sprintf (filename, "%s/%s/%s", repository,
+                        CVSROOTADM, CVSROOTADM_PASSWD);
 
-    fp = CVS_FOPEN (filename, "r");
-    if (fp == NULL)
-    {
-	if (!existence_error (errno))
-	    error (0, errno, "cannot open %s", filename);
-	free (filename);
-	return 0;
-    }
+        fp = CVS_FOPEN (filename, "r");
+        if (fp == NULL)
+        {
+            if (!existence_error (errno))
+                error (0, errno, "cannot open %s", filename);
+            free (filename);
+            return 0;
+        }
 
-    /* Look for a relevant line -- one with this user's name. */
-    namelen = strlen (username);
-    while (getline (&linebuf, &linebuf_len, fp) >= 0)
-    {
-	if ((strncmp (linebuf, username, namelen) == 0)
-	    && (linebuf[namelen] == ':'))
-	{
-	    found_it = 1;
-	    break;
-	}
+        /* Look for a relevant line -- one with this user's name. */
+        namelen = strlen (username);
+        while (getline (&linebuf, &linebuf_len, fp) >= 0)
+        {
+            if ((strncmp (linebuf, username, namelen) == 0)
+                && (linebuf[namelen] == ':'))
+            {
+                found_it = 1;
+                break;
+            }
+        }
+        if (ferror (fp))
+            error (0, errno, "cannot read %s", filename);
+        if (fclose (fp) < 0)
+            error (0, errno, "cannot close %s", filename);
+    }
+    else /* DSA_VERSION */
+    {        
+        namelen = strlen (username);
+
+        cp = getpwline (PasswordFileName, repository, username);
+        /* syslog (LOG_NOTICE, "cp=%s", cp); */
+        if (strlen (cp)) {
+            linebuf = xmalloc (strlen (cp) + 1);
+            memcpy (linebuf, cp, strlen(cp)+1);
+            /* syslog (LOG_NOTICE, "line=%s", linebuf); */
+            found_it = 1;
+        } else
+            found_it = 0;
+    
+        /* syslog (LOG_NOTICE, "username=%s, password=%s, repository=%s", username, password, repository); */
     }
-    if (ferror (fp))
-	error (0, errno, "cannot read %s", filename);
-    if (fclose (fp) < 0)
-	error (0, errno, "cannot close %s", filename);
 
     /* If found_it, then linebuf contains the information we need. */
     if (found_it)
@@ -6823,6 +6845,7 @@
 	retval = 0;
     }
 
+    if (filename)
     free (filename);
     if (linebuf)
 	free (linebuf);
@@ -7043,7 +7066,10 @@
 	   letting you in if it won't say why, and I am not convinced
 	   that the potential information disclosure to an attacker
 	   outweighs this.  */
-	printf ("error 0 no such user %s in CVSROOT/passwd\n", username);
+        if (PasswordFileName)
+            printf ("error 0 no such user %s in %s\n", username, PasswordFileName);
+        else
+            printf ("error 0 no such user %s in CVSROOT/passwd\n", username);
 
 	exit (EXIT_FAILURE);
     }
Commit	Line	Data
3a862a5e AM	1	# Add support for overriding lookups in CVSROOT/passwd
	2	# Specify --password-file <file> on the pserver command line to use it
	3	# Initial patch from the Debian DSA team, adapted by Steve McIntyre.
	4	# See README.Debian for more details.
	5	diff -ruN cvs-1.12.13-old/src/cvs.h cvs-1.12.13/src/cvs.h
	6	--- cvs-1.12.13-old/src/cvs.h 2005-10-02 16:17:20.000000000 +0100
	7	+++ cvs-1.12.13/src/cvs.h 2006-08-19 01:20:33.000000000 +0100
	8	@@ -371,6 +371,7 @@
	9	extern int use_editor;
	10	extern int cvswrite;
	11	extern mode_t cvsumask;
	12	+extern char *PasswordFileName;
	13
	14	/* Temp dir abstraction. */
	15	/* From main.c. */
	16	diff -ruN cvs-1.12.13-old/src/main.c cvs-1.12.13/src/main.c
	17	--- cvs-1.12.13-old/src/main.c 2006-08-17 00:25:16.000000000 +0100
	18	+++ cvs-1.12.13/src/main.c 2006-08-19 01:20:03.000000000 +0100
	19	@@ -43,8 +43,7 @@
	20	int noexec = 0;
	21	int readonlyfs = 0;
	22	int logoff = 0;
	23	-
	24	-
	25	+char *PasswordFileName = NULL;
	26
	27	/***
	28	***
	29	@@ -519,6 +518,7 @@
	30	{"help-commands", 0, NULL, 1},
	31	{"help-synonyms", 0, NULL, 2},
	32	{"help-options", 0, NULL, 4},
	33	+ {"password-file", required_argument, NULL, 5},
	34	#ifdef SERVER_SUPPORT
	35	{"allow-root", required_argument, NULL, 3},
	36	#endif /* SERVER_SUPPORT */
	37	@@ -646,6 +646,10 @@
	38	root_allow_add (optarg, gConfigPath);
	39	break;
	40	#endif /* SERVER_SUPPORT */
	41	+ case 5:
	42	+ /* --password-file */
	43	+ PasswordFileName = xstrdup(optarg);
	44	+ break;
	45	case 'Q':
	46	really_quiet = 1;
	47	/* FALL THROUGH */
	48	diff -ruN cvs-1.12.13-old/src/Makefile.in cvs-1.12.13/src/Makefile.in
	49	--- cvs-1.12.13-old/src/Makefile.in 2005-10-03 14:37:18.000000000 +0100
	50	+++ cvs-1.12.13/src/Makefile.in 2006-08-17 00:28:35.000000000 +0100
	51	@@ -146,7 +146,7 @@
	52	ls.$(OBJEXT) main.$(OBJEXT) mkmodules.$(OBJEXT) \
	53	modules.$(OBJEXT) ms-buffer.$(OBJEXT) myndbm.$(OBJEXT) \
	54	no_diff.$(OBJEXT) parseinfo.$(OBJEXT) patch.$(OBJEXT) \
	55	- rcs.$(OBJEXT) rcscmds.$(OBJEXT) recurse.$(OBJEXT) \
	56	+ rcs.$(OBJEXT) rcscmds.$(OBJEXT) readpw.$(OBJEXT) recurse.$(OBJEXT) \
	57	release.$(OBJEXT) remove.$(OBJEXT) repos.$(OBJEXT) \
	58	root.$(OBJEXT) rsh-client.$(OBJEXT) run.$(OBJEXT) \
	59	scramble.$(OBJEXT) server.$(OBJEXT) stack.$(OBJEXT) \
	60	@@ -349,6 +349,7 @@
	61	patch.c \
	62	rcs.c \
	63	rcscmds.c \
	64	+ readpw.c \
65	recurse.c \
66	release.c \
67	remove.c \
68	@@ -543,6 +544,7 @@
69	@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/patch.Po@am__quote@
70	@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/rcs.Po@am__quote@
71	@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/rcscmds.Po@am__quote@
72	+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/readpw.Po@am__quote@
73	@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/recurse.Po@am__quote@
74	@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/release.Po@am__quote@
75	@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/remove.Po@am__quote@
76	diff -ruN cvs-1.12.13-old/src/parseinfo.h cvs-1.12.13/src/parseinfo.h
77	--- cvs-1.12.13-old/src/parseinfo.h 2006-08-17 00:25:16.000000000 +0100
78	+++ cvs-1.12.13/src/parseinfo.h 2006-08-17 00:58:25.000000000 +0100
79	@@ -21,6 +21,7 @@
80	char *HistoryLogPath;
81	char *HistorySearchPath;
82	char *TmpDir;
83	+ char *PasswordFileName;
84
85	/* Should the logmsg be re-read during the do_verify phase?
86	* RereadLogAfterVerify=no\|stat\|yes
87	diff -ruN cvs-1.12.13-old/src/readpw.c cvs-1.12.13/src/readpw.c
88	--- cvs-1.12.13-old/src/readpw.c 1970-01-01 01:00:00.000000000 +0100
89	+++ cvs-1.12.13/src/readpw.c 2006-08-19 01:45:26.000000000 +0100
90	@@ -0,0 +1,158 @@
91	+/*
92	+ readpw.c - read the CVS password from an external file
93	+ Copyright (c) 2006 Martin Schulze <joey@infodrom.org>
94	+
95	+ This program is free software; you can redistribute it and/or modify
96	+ it under the terms of the GNU General Public License as published by
97	+ the Free Software Foundation; either version 2 of the License, or
98	+ (at your option) any later version.
99	+
100	+ This program is distributed in the hope that it will be useful,
101	+ but WITHOUT ANY WARRANTY; without even the implied warranty of
102	+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
103	+ GNU General Public License for more details.
104	+
105	+ You should have received a copy of the GNU General Public License
106	+ along with this program; if not, write to the Free Software
107	+ Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
108	+*/
109	+
110	+#include <string.h>
111	+#include <stdio.h>
112	+#include <errno.h>
113	+#include <syslog.h>
114	+
115	+#define PWFILE "/tmp/work/cvs/cvs.passwd"
116	+
117	+/*
118	+ * Source: control_nextline() in dtaus.c from dtaus
119	+ */
120	+size_t readline (FILE f, char *buf, unsigned int len)
121	+{
122	+ char line[100];
123	+ char tmp[100];
124	+ char *cp;
125	+ int i;
126	+
127	+ memset (line, 0, sizeof(line));
128	+ memset (*buf, 0, len);
129	+
130	+ cp = line;
131	+
132	+ while (!strlen(line) && (cp = fgets(line, 100, f))) {
133	+ if (strlen(line)) {
134	+ if (line[0] != '#') {
135	+ if (line[strlen(line)-1] != '\n') {
136	+ strcpy(tmp, line);
137	+ while (tmp[strlen(tmp)-1] != '\n' && (cp = fgets(tmp, 100, f)));
138	+ } else
139	+ line[strlen(line)-1] = '\0';
140	+ if (line[strlen(line)-1] == '\r')
141	+ line[strlen(line)-1] = '\0';
142	+ for (i=strlen(line);(line[i-1] == ' '\|\|line[i-1] == '\t')&&i>0; i--)
143	+ line[i-1] = '\0';
144	+ } else
145	+ line[0] = '\0';
146	+ }
147	+ }
148	+ for (cp=line; *cp==' '; cp++);
149	+
150	+ if (strlen(cp)) {
151	+ memcpy(*buf, cp, strlen(cp) >= len ? len-1 : strlen(cp));
152	+ return (strlen (cp));
153	+ } else
154	+ return 0;
155	+}
156	+
157	+#define MAXLINE 100
158	+#define PWLEN 20
159	+
160	+char getpwline (const char fname, const char repository, const char logname)
161	+{
162	+ FILE *f;
163	+ char buf[MAXLINE], *bp = buf;
164	+ static char line[MAXLINE];
165	+ int inrepo = 0;
166	+ char *cp;
167	+
168	+ memset (line, 0, sizeof (line));
169	+
170	+ if ((f = fopen (fname, "r")) == NULL) {
171	+ perror ("fopen");
172	+ return line;
173	+ }
174	+
175	+ while (readline (f, &bp, 50)) {
176	+ if (buf[0] == '/') {
177	+ syslog(LOG_ERR, "Looking for repo %s in %s\n", repository, buf);
178	+ if (!inrepo && !strcmp (buf, repository))
179	+ {
180	+ syslog(LOG_ERR, "matched repository %s\n", repository);
181	+ inrepo = 1;
182	+ }
183	+ else if (inrepo)
184	+ inrepo = 0;
185	+ } else {
186	+ if (inrepo) {
187	+ if ((cp = strchr (buf, ':')) != NULL) {
188	+ if ( (cp - buf) == strlen (logname)
189	+ && !strncmp (buf, logname, strlen (logname))) {
190	+ memcpy (line, buf, strlen(buf) >= MAXLINE ? MAXLINE-1 : strlen(buf));
191	+ }
192	+ }
193	+ }
194	+ }
195	+ }
196	+
197	+ if (ferror (f))
198	+ perror ("ferror");
199	+ if (fclose (f) < 0)
200	+ perror ("fclose");
201	+
202	+ return line;
203	+}
204	+
205	+/*
206	+*****************************************************************
207	+ */
208	+#ifdef TEST_READPW
209	+
210	+void getpasswd (const char fname, const char repository, const char logname, char pw, char *user)
211	+{
212	+ char *line;
213	+ char cp, xp;
214	+
215	+ memset (*pw, 0, PWLEN);
216	+ memset (*user, 0, PWLEN);
217	+
218	+ line = getpwline(fname, repository, logname);
219	+
220	+ if (line[0] == '\0')
221	+ return;
222	+
223	+ cp = strchr (line, ':');
224	+ cp++;
225	+
226	+ if ((xp = strchr (cp, ':')) != NULL) {
227	+ memcpy (*pw, cp, xp-cp >= PWLEN ? PWLEN-1 : xp-cp);
228	+
229	+ xp++;
230	+
231	+ if (strlen (xp))
232	+ memcpy (*user, xp, strlen(xp) >= PWLEN ? PWLEN-1 : strlen(xp));
233	+ }
234	+}
235	+
236	+int main ()
237	+{
238	+ char pw[PWLEN], *ppw = pw;
239	+ char cvsuser[PWLEN], *pcu = cvsuser;
240	+
241	+ getpasswd (PWFILE, "/cvs/debian-doc", "jseidel", &ppw, &pcu);
242	+
243	+ printf ("%s<:>%s\n", pw, cvsuser);
244	+ printf ("XXXXXXXXXXXXX\n");
245	+
246	+ return 0;
247	+}
248	+#endif /TEST_READPW /
249	diff -ruN cvs-1.12.13-old/src/server.c cvs-1.12.13/src/server.c
250	--- cvs-1.12.13-old/src/server.c 2006-08-17 00:25:16.000000000 +0100
251	+++ cvs-1.12.13/src/server.c 2006-08-20 00:31:22.000000000 +0100
252	@@ -22,6 +22,8 @@
253
254	int server_active = 0;
255
256	+char getpwline (const char fname, const char repository, const char logname);
257	+
258	#if defined (SERVER_SUPPORT) \|\| defined (CLIENT_SUPPORT)
259
260	# include "log-buffer.h"
261	@@ -6689,51 +6691,71 @@
262	{
263	int retval = 0;
264	FILE *fp;
265	- char *filename;
266	+ char *filename = NULL;
267	+ char *cp;
268	char *linebuf = NULL;
269	size_t linebuf_len;
270	int found_it = 0;
271	int namelen;
272
273	- /* We don't use current_parsed_root->directory because it hasn't been
274	- * set yet -- our `repository' argument came from the authentication
275	- * protocol, not the regular CVS protocol.
276	- */
277	-
278	- filename = xmalloc (strlen (repository)
279	- + 1
280	- + strlen (CVSROOTADM)
281	- + 1
282	- + strlen (CVSROOTADM_PASSWD)
283	- + 1);
284	+ if (!PasswordFileName)
285	+ {
286	+ /* We don't use current_parsed_root->directory because it hasn't been
287	+ * set yet -- our `repository' argument came from the authentication
288	+ * protocol, not the regular CVS protocol.
289	+ */
290	+
291	+ filename = xmalloc (strlen (repository)
292	+ + 1
293	+ + strlen (CVSROOTADM)
294	+ + 1
295	+ + strlen (CVSROOTADM_PASSWD)
296	+ + 1);
297
298	- (void) sprintf (filename, "%s/%s/%s", repository,
299	- CVSROOTADM, CVSROOTADM_PASSWD);
300	+ (void) sprintf (filename, "%s/%s/%s", repository,
301	+ CVSROOTADM, CVSROOTADM_PASSWD);
302
303	- fp = CVS_FOPEN (filename, "r");
304	- if (fp == NULL)
305	- {
306	- if (!existence_error (errno))
307	- error (0, errno, "cannot open %s", filename);
308	- free (filename);
309	- return 0;
310	- }
311	+ fp = CVS_FOPEN (filename, "r");
312	+ if (fp == NULL)
313	+ {
314	+ if (!existence_error (errno))
315	+ error (0, errno, "cannot open %s", filename);
316	+ free (filename);
317	+ return 0;
318	+ }
319
320	- /* Look for a relevant line -- one with this user's name. */
321	- namelen = strlen (username);
322	- while (getline (&linebuf, &linebuf_len, fp) >= 0)
323	- {
324	- if ((strncmp (linebuf, username, namelen) == 0)
325	- && (linebuf[namelen] == ':'))
326	- {
327	- found_it = 1;
328	- break;
329	- }
330	+ /* Look for a relevant line -- one with this user's name. */
331	+ namelen = strlen (username);
332	+ while (getline (&linebuf, &linebuf_len, fp) >= 0)
333	+ {
334	+ if ((strncmp (linebuf, username, namelen) == 0)
335	+ && (linebuf[namelen] == ':'))
336	+ {
337	+ found_it = 1;
338	+ break;
339	+ }
340	+ }
341	+ if (ferror (fp))
342	+ error (0, errno, "cannot read %s", filename);
343	+ if (fclose (fp) < 0)
344	+ error (0, errno, "cannot close %s", filename);
345	+ }
346	+ else /* DSA_VERSION */
347	+ {
348	+ namelen = strlen (username);
349	+
350	+ cp = getpwline (PasswordFileName, repository, username);
351	+ /* syslog (LOG_NOTICE, "cp=%s", cp); */
352	+ if (strlen (cp)) {
353	+ linebuf = xmalloc (strlen (cp) + 1);
354	+ memcpy (linebuf, cp, strlen(cp)+1);
355	+ /* syslog (LOG_NOTICE, "line=%s", linebuf); */
356	+ found_it = 1;
357	+ } else
358	+ found_it = 0;
359	+
360	+ /* syslog (LOG_NOTICE, "username=%s, password=%s, repository=%s", username, password, repository); */
361	}
362	- if (ferror (fp))
363	- error (0, errno, "cannot read %s", filename);
364	- if (fclose (fp) < 0)
365	- error (0, errno, "cannot close %s", filename);
366
367	/* If found_it, then linebuf contains the information we need. */
368	if (found_it)
369	@@ -6823,6 +6845,7 @@
370	retval = 0;
371	}
372
373	+ if (filename)
374	free (filename);
375	if (linebuf)
376	free (linebuf);
377	@@ -7043,7 +7066,10 @@
378	letting you in if it won't say why, and I am not convinced
379	that the potential information disclosure to an attacker
380	outweighs this. */
381	- printf ("error 0 no such user %s in CVSROOT/passwd\n", username);
382	+ if (PasswordFileName)
383	+ printf ("error 0 no such user %s in %s\n", username, PasswordFileName);
384	+ else
385	+ printf ("error 0 no such user %s in CVSROOT/passwd\n", username);
386
387	exit (EXIT_FAILURE);
388	}