From 09d1019b00a93db543d604802878a03dc8155f76 Mon Sep 17 00:00:00 2001 From: Julian Blake Kongslie Date: Wed, 27 Apr 2011 19:53:48 -0700 Subject: joe is a whiny baby who doesn't want password sent in cleartext --- pinyweb/cgi-bin/newuser.cgi | 21 +++++++++++++++++---- 1 file changed, 17 insertions(+), 4 deletions(-) (limited to 'pinyweb/cgi-bin/newuser.cgi') diff --git a/pinyweb/cgi-bin/newuser.cgi b/pinyweb/cgi-bin/newuser.cgi index 4f1263b..0fad219 100755 --- a/pinyweb/cgi-bin/newuser.cgi +++ b/pinyweb/cgi-bin/newuser.cgi @@ -7,19 +7,32 @@ use warnings; use CGI; +use Crypt::CBC; use IPC::Open2; +use MIME::Base32 qw( RFC ); use Piny::Auth; +my $auth = Piny::Auth->new( ); + +my $cipher = Crypt::CBC->new( "-key" => $auth->key, "-cipher" => "Blowfish" ); + $q = CGI->new; print( "Content-type: text/plain\n\n" ); if( $q->param("n") && $q->param("a") && $q->param("p") ) { - my $auth = Piny::Auth->new( ); + my $pass = $q->param("p"); + my $code; - my $code = $auth->hash( { "n" => $q->param( "n" ), "a" => $q->param( "a" ), "p" => $q->param( "p" ) } ); + if ( $q->param("h") ) { + $pass = $cipher->decrypt( decode_base32( $pass ) ); + $code = $auth->hash( { "n" => $q->param( "n" ), "a" => $q->param( "a" ), "p" => $pass } ); + } else { + $code = $auth->hash( { "n" => $q->param( "n" ), "a" => $q->param( "a" ), "p" => $pass } ); + $pass = encode_base32( $cipher->encrypt( $pass ) ); + }; if ( $q->param("h") && $q->param("h") eq $code ) { unless( open2( OUT, IN, "/usr/bin/sudo", "/usr/sbin/newuser", "--batch", $q->param("a"), $q->param("n") ) ) { @@ -29,7 +42,7 @@ if( $q->param("n") && $q->param("a") && $q->param("p") ) { # make things flushier select((select(IN), $| = 1)[0]); select((select(OUT), $| = 1)[0]); - print( IN $q->param("p") . "\n" ); + print( IN $pass . "\n" ); close( IN ); while( ) { print; @@ -51,7 +64,7 @@ if( $q->param("n") && $q->param("a") && $q->param("p") ) { print( MAIL "h=" . $code ); print( MAIL "&n=" . $q->param("n") ); print( MAIL "&a=" . $q->param("a") ); - print( MAIL "&p=" . $q->param("p") ); + print( MAIL "&p=" . $pass ); print( MAIL "\n"); close( MAIL ); print( "Done!" ); -- cgit v1.2.3