Boston Linux & Unix (BLU) Home | Calendar | Mail Lists | List Archives | Desktop SIG | Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings
Linux Cafe | Meeting Notes | Linux Links | Bling | About BLU

BLU Discuss list archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

SUCCESS! Re: PHP change password script



Quoting Tom Metro <tmetro-blu-5a1Jt6qxUNc at public.gmane.org>:

> Derek Atkins wrote:
>> It's using expect in a different way and this time it actually looks
>> for various errors.
>
> I see the error checks you added, but aside from that, how is it different?

The main difference is "expect -f -" ---  at least I think that's
the MAJOR change that caused it to work, in addition to the error checks.

>> function changePassword($user, $currpwd, $newpwd) {
> ...
>>   // Log conversation for verification
>>   $log = '/tmp/passwd_' . $user . '_' . time();
>
> I would include code here to "untaint" $user, seeing as you are 
> passing it on the command line a few times, and that makes you 
> vulnerable to shell meta character injection.

This is done elsewhere in the script, along with checking that the
two new passwords are the same.  The user is prompted to enter the
new password twice, and they are validated against each other (both in
javascript and also in the PHP).

>>   $cmd .= "log_file -a \"$log\"\n";
>> ...
>>   return (trim($output[count($output)-2])      == 'passwd: all 
>> authentication tokens updated successfully.') ?
> true : false;
>
> Now that you've cleaned up the expect script to return unique exit 
> codes for each state, you should replace that last line with "return 
> pclose($p);" and get rid of all the code for generating and 
> processing the log file.

Yeah, that was on my list of things to do...  I was just happy
to get it working at all!

[snip]
>     $cmd = <<< EXPECT
>         spawn /bin/su $user -c /usr/bin/passwd
>         expect {
>             "does not exist" {exit 1}
>             "assword: "
>         }
>         send "$currpwd\r"
>         expect {
>            "incorrect" {exit 2}
>            "hanging password for"
>         }
> EXPECT

Yeah, this would be cleaner.  It's the way it is no only
because I pulled it from somewhere else.

> A tad more readable...

yeah, but who is going to read it?   ;-)

Thanks for the tips.  :)

>  -Tom

-derek

-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord-DPNOqEs/LNQ at public.gmane.org                       PGP key available







BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!



Boston Linux & Unix / webmaster@blu.org