diff options
Diffstat (limited to 'expect/example/passwd.cgi')
-rw-r--r-- | expect/example/passwd.cgi | 105 |
1 files changed, 105 insertions, 0 deletions
diff --git a/expect/example/passwd.cgi b/expect/example/passwd.cgi new file mode 100644 index 00000000000..6e12dcede06 --- /dev/null +++ b/expect/example/passwd.cgi @@ -0,0 +1,105 @@ +#!/depot/path/expect -- + +# This is a CGI script to process requests created by the accompanying +# passwd.html form. This script is pretty basic, although it is +# reasonably robust. (Purposely intent users can make the script bomb +# by mocking up their own HTML form, however they can't expose or steal +# passwords or otherwise open any security holes.) This script doesn't +# need any special permissions. The usual (ownership nobody) is fine. +# +# With a little more code, the script can do much more exotic things - +# for example, you could have the script: +# +# - telnet to another host first (useful if you run CGI scripts on a +# firewall), or +# +# - change passwords on multiple password server hosts, or +# +# - verify that passwords aren't in the dictionary, or +# +# - verify that passwords are at least 8 chars long and have at least 2 +# digits, 2 uppercase, 2 lowercase, or whatever restrictions you like, +# or +# +# - allow short passwords by responding appropriately to passwd +# +# and so on. Have fun! +# +# Don Libes, NIST + +puts "Content-type: text/html\n" ;# note extra newline + +puts " +<head> +<title>Passwd Change Acknowledgment</title> +</head> + +<h2>Passwd Change Acknowledgment</h2> +" + +proc cgi2ascii {buf} { + regsub -all {\+} $buf { } buf + regsub -all {([\\["$])} $buf {\\\1} buf + regsub -all -nocase "%0d%0a" $buf "\n" buf + regsub -all -nocase {%([a-f0-9][a-f0-9])} $buf {[format %c 0x\1]} buf + eval return \"$buf\" +} + +foreach pair [split [read stdin $env(CONTENT_LENGTH)] &] { + regexp (.*)=(.*) $pair dummy varname val + set val [cgi2ascii $val] + set var($varname) $val +} + +log_user 0 + +proc errormsg {s} {puts "<h3>Error: $s</h3>"} +proc successmsg {s} {puts "<h3>$s</h3>"} + +# Need to su first to get around passwd's requirement that passwd cannot +# be run by a totally unrelated user. Seems rather pointless since it's +# so easy to satisfy, eh? + +# Change following line appropriately for your site. +# (We use yppasswd, but you might use something else.) +spawn /bin/su $var(name) -c "/bin/yppasswd $var(name)" +# This fails on SunOS 4.1.3 (passwd says "you don't have a login name") +# run on (or telnet first to) host running SunOS 4.1.4 or later. + +expect { + "Unknown login:" { + errormsg "unknown user: $var(name)" + exit + } default { + errormsg "$expect_out(buffer)" + exit + } "Password:" +} +send "$var(old)\r" +expect { + "unknown user" { + errormsg "unknown user: $var(name)" + exit + } "Sorry" { + errormsg "Old password incorrect" + exit + } default { + errormsg "$expect_out(buffer)" + exit + } "Old password:" +} +send "$var(old)\r" +expect "New password:" +send "$var(new1)\r" +expect "New password:" +send "$var(new2)\r" +expect -re (.*)\r\n { + set error $expect_out(1,string) +} + +if [info exists error] { + errormsg "$error" +} else { + successmsg "Password changed successfully." +} + |