BLU Discuss list archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

SUCCESS! Re: PHP change password script

Subject: SUCCESS! Re: PHP change password script
From: warlord-DPNOqEs/LNQ at public.gmane.org (Derek Atkins)
Date: Wed, 27 May 2009 17:37:47 -0400
In-reply-to: <4A1DA7CE.6010400-5a1Jt6qxUNc@public.gmane.org>
References: <sjmvdnovn1s.fsf@pgpdev.ihtfp.org> <4A1B4AF7.2050503@vl.com> <20090525221009.272qjjolwx0ggcwk@webmail.mit.edu> <4A1B9922.1090602@vl.com> <sjmk542tzta.fsf_-_@pgpdev.ihtfp.org> <4A1DA7CE.6010400@vl.com>

Quoting Tom Metro <tmetro-blu-5a1Jt6qxUNc at public.gmane.org>:

> Derek Atkins wrote:
>> It's using expect in a different way and this time it actually looks
>> for various errors.
>
> I see the error checks you added, but aside from that, how is it different?

The main difference is "expect -f -" ---  at least I think that's
the MAJOR change that caused it to work, in addition to the error checks.

>> function changePassword($user, $currpwd, $newpwd) {
> ...
>>   // Log conversation for verification
>>   $log = '/tmp/passwd_' . $user . '_' . time();
>
> I would include code here to "untaint" $user, seeing as you are 
> passing it on the command line a few times, and that makes you 
> vulnerable to shell meta character injection.

This is done elsewhere in the script, along with checking that the
two new passwords are the same.  The user is prompted to enter the
new password twice, and they are validated against each other (both in
javascript and also in the PHP).

>>   $cmd .= "log_file -a \"$log\"\n";
>> ...
>>   return (trim($output[count($output)-2])      == 'passwd: all 
>> authentication tokens updated successfully.') ?
> true : false;
>
> Now that you've cleaned up the expect script to return unique exit 
> codes for each state, you should replace that last line with "return 
> pclose($p);" and get rid of all the code for generating and 
> processing the log file.

Yeah, that was on my list of things to do...  I was just happy
to get it working at all!

[snip]
>     $cmd = <<< EXPECT
>         spawn /bin/su $user -c /usr/bin/passwd
>         expect {
>             "does not exist" {exit 1}
>             "assword: "
>         }
>         send "$currpwd\r"
>         expect {
>            "incorrect" {exit 2}
>            "hanging password for"
>         }
> EXPECT

Yeah, this would be cleaner.  It's the way it is no only
because I pulled it from somewhere else.

> A tad more readable...

yeah, but who is going to read it?   ;-)

Thanks for the tips.  :)

>  -Tom

-derek

-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord-DPNOqEs/LNQ at public.gmane.org                       PGP key available

References:
- PHP script (or other webapp) to allow users to change their password
  - From: warlord-DPNOqEs/LNQ at public.gmane.org (Derek Atkins)
- PHP script (or other webapp) to allow users to change their password
  - From: tmetro-blu-5a1Jt6qxUNc at public.gmane.org (Tom Metro)
- PHP script (or other webapp) to allow users to change their password
  - From: warlord-DPNOqEs/LNQ at public.gmane.org (Derek Atkins)
- PHP script (or other webapp) to allow users to change their password
  - From: tmetro-blu-5a1Jt6qxUNc at public.gmane.org (Tom Metro)
- SUCCESS! Re: PHP change password script
  - From: warlord-DPNOqEs/LNQ at public.gmane.org (Derek Atkins)
- SUCCESS! Re: PHP change password script
  - From: tmetro-blu-5a1Jt6qxUNc at public.gmane.org (Tom Metro)

Prev by Date: SUCCESS! Re: PHP change password script
Next by Date: Boston Linux and Unix InstallFest XXXIII Saturday May 30, 2009
Previous by thread: SUCCESS! Re: PHP change password script
Next by thread: PHP script (or other webapp) to allow users to change their password
Index(es):
- Date
- Thread


BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Boston Linux & Unix / webmaster@blu.org