Subversion Repositories or1k

#!/depot/path/expect --

# This is a CGI script to process requests created by the accompanying
# passwd.html form.  This script is pretty basic, although it is
# reasonably robust.  (Purposely intent users can make the script bomb
# by mocking up their own HTML form, however they can't expose or steal
# passwords or otherwise open any security holes.)  This script doesn't
# need any special permissions.  The usual (ownership nobody) is fine.
#
# With a little more code, the script can do much more exotic things -
# for example, you could have the script:
#
# - telnet to another host first (useful if you run CGI scripts on a
#   firewall), or
#
# - change passwords on multiple password server hosts, or
# 
# - verify that passwords aren't in the dictionary, or
# 
# - verify that passwords are at least 8 chars long and have at least 2
#   digits, 2 uppercase, 2 lowercase, or whatever restrictions you like,
#   or
#
# - allow short passwords by responding appropriately to passwd
#
# and so on.  Have fun!
#
# Don Libes, NIST

puts "Content-type: text/html\n"        ;# note extra newline

puts "
<head>
<title>Passwd Change Acknowledgment</title>
</head>

<h2>Passwd Change Acknowledgment</h2>
"

proc cgi2ascii {buf} {
    regsub -all {\+} $buf { } buf
    regsub -all {([\\["$])} $buf {\\\1} buf
    regsub -all -nocase "%0d%0a" $buf "\n" buf
    regsub -all -nocase {%([a-f0-9][a-f0-9])} $buf {[format %c 0x\1]} buf
    eval return \"$buf\"
}

foreach pair [split [read stdin $env(CONTENT_LENGTH)] &] {
        regexp (.*)=(.*) $pair dummy varname val
        set val [cgi2ascii $val]
        set var($varname) $val
}

log_user 0

proc errormsg {s} {puts "<h3>Error: $s</h3>"}
proc successmsg {s} {puts "<h3>$s</h3>"}

# Need to su first to get around passwd's requirement that passwd cannot
# be run by a totally unrelated user.  Seems rather pointless since it's
# so easy to satisfy, eh?

# Change following line appropriately for your site.
# (We use yppasswd, but you might use something else.)
spawn /bin/su $var(name) -c "/bin/yppasswd $var(name)"
# This fails on SunOS 4.1.3 (passwd says "you don't have a login name")
# run on (or telnet first to) host running SunOS 4.1.4 or later.

expect {
        "Unknown login:" {
                errormsg "unknown user: $var(name)"
                exit
        } default {
                errormsg "$expect_out(buffer)"
                exit
        } "Password:"
}
send "$var(old)\r"
expect {
        "unknown user" {
                errormsg "unknown user: $var(name)"
                exit
        } "Sorry" {
                errormsg "Old password incorrect"
                exit
        } default {
                errormsg "$expect_out(buffer)"
                exit
        } "Old password:"
}
send "$var(old)\r"
expect "New password:"
send "$var(new1)\r"
expect "New password:"
send "$var(new2)\r"
expect -re (.*)\r\n {
        set error $expect_out(1,string)
}

if [info exists error] {
        errormsg "$error"
} else {
        successmsg "Password changed successfully."
}