From 5693d353d000673f49b83e77b29eb1321a300441 Mon Sep 17 00:00:00 2001 From: Julian Blake Kongslie Date: Wed, 20 Apr 2011 22:59:08 -0700 Subject: introduce some semblance of security for the newuser cgi. --- pinyweb/cgi-bin/newuser.cgi | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) (limited to 'pinyweb/cgi-bin/newuser.cgi') diff --git a/pinyweb/cgi-bin/newuser.cgi b/pinyweb/cgi-bin/newuser.cgi index 7763f67..4f1263b 100755 --- a/pinyweb/cgi-bin/newuser.cgi +++ b/pinyweb/cgi-bin/newuser.cgi @@ -9,12 +9,19 @@ use CGI; use IPC::Open2; +use Piny::Auth; + $q = CGI->new; print( "Content-type: text/plain\n\n" ); if( $q->param("n") && $q->param("a") && $q->param("p") ) { - if ( $q->param("h") && $q->param("h") eq "REPLACE_THIS_WITH_REFERENCE_TO_HASH" ) { + + my $auth = Piny::Auth->new( ); + + my $code = $auth->hash( { "n" => $q->param( "n" ), "a" => $q->param( "a" ), "p" => $q->param( "p" ) } ); + + if ( $q->param("h") && $q->param("h") eq $code ) { unless( open2( OUT, IN, "/usr/bin/sudo", "/usr/sbin/newuser", "--batch", $q->param("a"), $q->param("n") ) ) { print "could not execute newrepo"; die; @@ -41,7 +48,7 @@ if( $q->param("n") && $q->param("a") && $q->param("p") ) { print( MAIL "s" ); }; print( MAIL "://" . $ENV{"SERVER_NAME"} . $ENV{"SCRIPT_NAME"} . "?" ); - print( MAIL "h=" . "REPLACE_THIS_WITH_REFERENCE_TO_HASH" ); + print( MAIL "h=" . $code ); print( MAIL "&n=" . $q->param("n") ); print( MAIL "&a=" . $q->param("a") ); print( MAIL "&p=" . $q->param("p") ); -- cgit v1.2.3