SUCCESS! Re: PHP change password script
Derek Atkins
warlord-DPNOqEs/LNQ at public.gmane.org
Wed May 27 17:37:47 EDT 2009
Quoting Tom Metro <tmetro-blu-5a1Jt6qxUNc at public.gmane.org>:
> Derek Atkins wrote:
>> It's using expect in a different way and this time it actually looks
>> for various errors.
>
> I see the error checks you added, but aside from that, how is it different?
The main difference is "expect -f -" --- at least I think that's
the MAJOR change that caused it to work, in addition to the error checks.
>> function changePassword($user, $currpwd, $newpwd) {
> ...
>> // Log conversation for verification
>> $log = '/tmp/passwd_' . $user . '_' . time();
>
> I would include code here to "untaint" $user, seeing as you are
> passing it on the command line a few times, and that makes you
> vulnerable to shell meta character injection.
This is done elsewhere in the script, along with checking that the
two new passwords are the same. The user is prompted to enter the
new password twice, and they are validated against each other (both in
javascript and also in the PHP).
>> $cmd .= "log_file -a \"$log\"\n";
>> ...
>> return (trim($output[count($output)-2]) == 'passwd: all
>> authentication tokens updated successfully.') ?
> true : false;
>
> Now that you've cleaned up the expect script to return unique exit
> codes for each state, you should replace that last line with "return
> pclose($p);" and get rid of all the code for generating and
> processing the log file.
Yeah, that was on my list of things to do... I was just happy
to get it working at all!
[snip]
> $cmd = <<< EXPECT
> spawn /bin/su $user -c /usr/bin/passwd
> expect {
> "does not exist" {exit 1}
> "assword: "
> }
> send "$currpwd\r"
> expect {
> "incorrect" {exit 2}
> "hanging password for"
> }
> EXPECT
Yeah, this would be cleaner. It's the way it is no only
because I pulled it from somewhere else.
> A tad more readable...
yeah, but who is going to read it? ;-)
Thanks for the tips. :)
> -Tom
-derek
--
Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
Member, MIT Student Information Processing Board (SIPB)
URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
warlord-DPNOqEs/LNQ at public.gmane.org PGP key available
More information about the Discuss
mailing list