From 8efa5148fad4266d573ab4d488801abc7c83cd6f Mon Sep 17 00:00:00 2001
From: "jrayhawk+piny.be@omgwallhack.org" <jrayhawk@dev.piny.svcs.cs.pdx.edu>
Date: Thu, 3 Feb 2011 02:07:18 -0800
Subject: Rough stab at hmacing newuser.cgi
---
pinyweb/cgi-bin/newuser.cgi | 49 +++++++++++++++++++++++++++++++++------------
1 file changed, 36 insertions(+), 13 deletions(-)
(limited to 'pinyweb/cgi-bin/newuser.cgi')
diff --git a/pinyweb/cgi-bin/newuser.cgi b/pinyweb/cgi-bin/newuser.cgi
index 90c2d59..7763f67 100755
--- a/pinyweb/cgi-bin/newuser.cgi
+++ b/pinyweb/cgi-bin/newuser.cgi
@@ -13,19 +13,42 @@ $q = CGI->new;
print( "Content-type: text/plain\n\n" );
-if( $q->param('n') && $q->param('a') && $q->param('p') ) {
- unless( open2( OUT, IN, '/usr/bin/sudo', '/usr/sbin/newuser', '--batch', $q->param('a'), $q->param('n') ) ) {
- print 'could not execute newrepo';
- die;
- };
- # make things flushier
- select((select(IN), $| = 1)[0]);
- select((select(OUT), $| = 1)[0]);
- print( IN $q->param('p') . "\n" );
- close( IN );
- while( <OUT> ) {
- print;
+if( $q->param("n") && $q->param("a") && $q->param("p") ) {
+ if ( $q->param("h") && $q->param("h") eq "REPLACE_THIS_WITH_REFERENCE_TO_HASH" ) {
+ unless( open2( OUT, IN, "/usr/bin/sudo", "/usr/sbin/newuser", "--batch", $q->param("a"), $q->param("n") ) ) {
+ print "could not execute newrepo";
+ die;
+ };
+ # make things flushier
+ select((select(IN), $| = 1)[0]);
+ select((select(OUT), $| = 1)[0]);
+ print( IN $q->param("p") . "\n" );
+ close( IN );
+ while( <OUT> ) {
+ print;
+ };
+ } else { # No hash, they need one sent to their address
+ print( "Dispatching email to " . $q->param("a") . "...\n" );
+ unless( open( MAIL, "|/usr/lib/sendmail -t" ) ) {
+ print "could not execute sendmail";
+ die;
+ };
+ print( MAIL "To: " . $q->param("a") . "\n" );
+ print( MAIL "Subject: Verifying account " . $q->param("n") . "\n" );
+ print( MAIL "Content-Type: text/plain; charset=us-ascii\n\n" );
+ print( MAIL "http" );
+ if( $ENV{"HTTPS"} eq "on" ) {
+ print( MAIL "s" );
+ };
+ print( MAIL "://" . $ENV{"SERVER_NAME"} . $ENV{"SCRIPT_NAME"} . "?" );
+ print( MAIL "h=" . "REPLACE_THIS_WITH_REFERENCE_TO_HASH" );
+ print( MAIL "&n=" . $q->param("n") );
+ print( MAIL "&a=" . $q->param("a") );
+ print( MAIL "&p=" . $q->param("p") );
+ print( MAIL "\n");
+ close( MAIL );
+ print( "Done!" );
};
} else {
- print 'Missing parameters.';
+ print( "Missing parameters." );
};
--
cgit v1.2.3
From 5693d353d000673f49b83e77b29eb1321a300441 Mon Sep 17 00:00:00 2001
From: Julian Blake Kongslie <jblake@omgwallhack.org>
Date: Wed, 20 Apr 2011 22:59:08 -0700
Subject: introduce some semblance of security for the newuser cgi.
---
pinyweb/cgi-bin/newuser.cgi | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
(limited to 'pinyweb/cgi-bin/newuser.cgi')
diff --git a/pinyweb/cgi-bin/newuser.cgi b/pinyweb/cgi-bin/newuser.cgi
index 7763f67..4f1263b 100755
--- a/pinyweb/cgi-bin/newuser.cgi
+++ b/pinyweb/cgi-bin/newuser.cgi
@@ -9,12 +9,19 @@ use CGI;
use IPC::Open2;
+use Piny::Auth;
+
$q = CGI->new;
print( "Content-type: text/plain\n\n" );
if( $q->param("n") && $q->param("a") && $q->param("p") ) {
- if ( $q->param("h") && $q->param("h") eq "REPLACE_THIS_WITH_REFERENCE_TO_HASH" ) {
+
+ my $auth = Piny::Auth->new( );
+
+ my $code = $auth->hash( { "n" => $q->param( "n" ), "a" => $q->param( "a" ), "p" => $q->param( "p" ) } );
+
+ if ( $q->param("h") && $q->param("h") eq $code ) {
unless( open2( OUT, IN, "/usr/bin/sudo", "/usr/sbin/newuser", "--batch", $q->param("a"), $q->param("n") ) ) {
print "could not execute newrepo";
die;
@@ -41,7 +48,7 @@ if( $q->param("n") && $q->param("a") && $q->param("p") ) {
print( MAIL "s" );
};
print( MAIL "://" . $ENV{"SERVER_NAME"} . $ENV{"SCRIPT_NAME"} . "?" );
- print( MAIL "h=" . "REPLACE_THIS_WITH_REFERENCE_TO_HASH" );
+ print( MAIL "h=" . $code );
print( MAIL "&n=" . $q->param("n") );
print( MAIL "&a=" . $q->param("a") );
print( MAIL "&p=" . $q->param("p") );
--
cgit v1.2.3