Bug 55379 - htdigest -c doesn't behave as described anymore
Summary: htdigest -c doesn't behave as described anymore
Status: NEW
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: support (show other bugs)
Version: 2.4.6
Hardware: PC Linux
: P2 minor (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
Depends on:
Reported: 2013-08-07 11:20 UTC by Nirgal Vourgère
Modified: 2013-08-08 08:42 UTC (History)
0 users


Note You need to log in before you can comment on or make changes to this bug.
Description Nirgal Vourgère 2013-08-07 11:20:31 UTC

I was helping triaging apache2 bugs reports in Debian and found that one:

> Running "htdigest -c <file> <domain> <user>" provides inconsistent
> results, sometimes removing entries for this or another <user> and
> othertimes doubling up entries for <user>. I suggest that invoking the
> command in this way with the -c flag should cause the programme to bail
> out if the file <file> already exists.

First, there really is a bug with -c parameter, which behaviour is inconsistent.

Man page says:
-c     Create  the  passwdfile.  If  passwdfile  already  exists, it is
              deleted first.

This is a regression^Wchange introduced 13 years ago:

file was truncated fopen("w") and now it is no more, since we use
apr_file_open(APR_WRITE | APR_CREATE)

It is missing APR_TRUNCATE

You can reproduce with
$ htdigest -c ~/toto realm nirgal # file created
$ htdigest ~/toto realm nirgal2 # second entry added
$ htdigest -c ~/toto realm nirgal # file should be truncated. It's not.
$ wc -l ~/toto
3 /home/nirgal/toto

Patch is available at:

However, original bug repport suggest -c should fail if file exists.

It makes sense to forbid file truncation of existing file, but it is opposition to man description,
to htpasswd -c behavior, and it might break a few scripts.

What is your feeling about that wish?