Initial Alpine Version

1 files changed, 119 insertions, 0 deletions

diff --git a/web/src/cgi.tcl-1.10/example/passwd.cgi b/web/src/cgi.tcl-1.10/example/passwd.cgi
new file mode 100755
index 00000000..85c18174
--- /dev/null
+++ b/web/src/cgi.tcl-1.10/example/passwd.cgi
@@ -0,0 +1,119 @@
+#!/depot/path/expect --
+
+# This is a CGI script to process requests created by the accompanying
+# passwd.html form.  This script is pretty basic, although it is
+# reasonably robust.  (Purposely intent users can make the script bomb
+# by mocking up their own HTML form, however they can't expose or steal
+# passwords or otherwise open any security holes.)  This script doesn't
+# need any special permissions or ownership.
+#
+# With a little more code, the script can do much more exotic things -
+# for example, you could have the script:
+#
+# - telnet to another host first (useful if you run CGI scripts on a
+#   firewall), or
+#
+# - change passwords on multiple password server hosts, or
+# 
+# - verify that passwords aren't in the dictionary, or
+# 
+# - verify that passwords are at least 8 chars long and have at least 2
+#   digits, 2 uppercase, 2 lowercase, or whatever restrictions you like,
+#   or
+#
+# - allow short passwords by responding appropriately to passwd
+#
+# and so on.  Have fun!
+#
+# Don Libes, NIST
+
+package require cgi
+
+cgi_eval {
+    source example.tcl
+    source passwd.tcl
+
+    cgi_input
+
+    # Save username as cookie (see comment in passwd-form script) so that the
+    # next time users load the form, their username will already be filled in.
+    # If cookies bother you, simply remove this entire cgi_http_head command.
+    cgi_http_head {
+	cgi_content_type text/html
+	if {0==[catch {cgi_import login}]} {
+	    cgi_export_cookie login expires=never
+	}
+    }
+
+    cgi_title "Password Change Acknowledgment"
+    cgi_body {
+	if {(![info exists login])
+	    || [catch {cgi_import old}]
+	    || [catch {cgi_import new1}]
+	    || [catch {cgi_import new2}]} {
+	    errormsg "This page has been called with input missing.  Please \
+		    visit this form by filling out the password change \
+ 		    request form."
+	    return
+	}
+
+	# Prevent user from sneaking in commands (albeit under their own uid).
+	if {[regexp "\[^a-zA-Z0-9]" $login char]} {
+	    errormsg "Illegal character ($char) in username."
+	    return
+	}
+
+	log_user 0
+
+	# Need to su first to get around passwd's requirement that
+	# passwd cannot be run by a totally unrelated user.  Seems
+	# rather pointless since it's so easy to satisfy, eh?
+
+	# Change following line appropriately for your site.
+	# (We use yppasswd, but you might use something else.)
+	spawn /bin/su $login -c "/bin/yppasswd $login"
+	# This fails on SunOS 4.1.3 (passwd says "you don't have a
+	# login name") so run on (or telnet first to) host running
+	# SunOS 4.1.4 or later.
+
+	expect {
+	    -re "Unknown (login|id):" {
+		errormsg "unknown user: $login"
+		return
+	    } default {
+		errormsg "$expect_out(buffer)"
+		return
+	    } "Password:"
+	}
+	send "$old\r"
+	expect {
+	    "unknown user" {
+		errormsg "unknown user: $login"
+		return
+	    } "Sorry" {
+		errormsg "Old password incorrect"
+		return
+	    } default {
+		errormsg "$expect_out(buffer)"
+		return
+	    } "Old password:"
+	}
+	send "$old\r"
+	expect "New password:"
+	send "$new1\r"
+	expect "New password:"
+	send "$new2\r"
+	expect -re (.+)\r\n {
+	    set error $expect_out(1,string)
+	}
+	close
+	wait
+
+	if {[info exists error]} {
+	    errormsg "$error"
+	} else {
+	    successmsg "Password changed successfully."
+	}
+    }
+}
+