--- loncom/lcpasswd 2000/10/28 19:22:19 1.6 +++ loncom/lcpasswd 2000/10/29 23:14:16 1.8 @@ -23,6 +23,19 @@ use strict; # Second line is CURRENT PASSWORD # Third line is NEW PASSWORD +# Valid passwords must consist of the +# ascii characters within the inclusive +# range of 0x20 (32) to 0x7E (126). +# These characters are: +# SPACE and +# !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNO +# PQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~ + +# Valid user names must consist of ascii +# characters that are alphabetical characters +# (A-Z,a-z), numeric (0-9), or the underscore +# mark (_). (Essentially, the perl regex \w). + # Command-line arguments # Yes, but be very careful here (don't pass shell commands) # and this is only supported to allow perl-system calls. @@ -35,13 +48,13 @@ use strict; # These are the exit codes. # ( (0,"ok"), -# (1,"User ID mismatch. This program must be run as user 'www'), +# (1,"User ID mismatch. This program must be run as user 'www'"), # (2,"Error. This program does not accept command-line arguments."), # (3,"Error. Three lines need to be entered into standard input."), # (4,"Error. Too many other simultaneous password change requests being made."), # (5,"Error. User $username does not exist."), # (6,"Error. Invalid entry of current password."), -# (7,"Error. Root was not successfully enabled.") ) +# (7,"Error. Root was not successfully enabled."), # (8,"Error. Cannot open /etc/passwd.") ) # Security @@ -97,6 +110,14 @@ else { } my ($username,$oldpwd,$newpwd)=@input; +$username=~/^(\w+)$/; +my $safeusername=$1; +if ($username ne $safeusername) { + print "Error. The user name specified has invalid characters.\n"; + unlink('/tmp/lock_lcpasswd'); + exit 9; +} + # Grab the line corresponding to username my ($userid,$useroldcryptpwd); @@ -137,8 +158,7 @@ for my $l (@lines) { else {print PASSWORDFILE "$l\n";} } close PASSWORDFILE; -$username=~/^(\w+)$/; -my $safeusername=$1; + ($>,$<)=(0,0); # fool smbpasswd here to think this is not a setuid environment unless (-e '/etc/smbpasswd') { open (OUT,'>/etc/smbpasswd'); close OUT;