From 403363ae69f7523eb05c34b969d03b29b9f85b12 Mon Sep 17 00:00:00 2001
From: BlackLight <blacklight@autistici.org>
Date: Sun, 26 Dec 2010 18:08:43 +0100
Subject: [PATCH] passwd command added

---
 blash.json                   |   1 +
 commands/logout.json         |  11 +++
 commands/passwd.json         | 185 +++++++++++++++++++++++++++++++++++
 modules/users/.users.php.swp | Bin 12288 -> 20480 bytes
 modules/users/users.php      | 118 +++++++++++++++++-----
 5 files changed, 288 insertions(+), 27 deletions(-)
 create mode 100644 commands/passwd.json

diff --git a/blash.json b/blash.json
index d4e4909..a3accad 100644
--- a/blash.json
+++ b/blash.json
@@ -195,6 +195,7 @@
 		"logout",
 		"ls",
 		"man",
+		"passwd",
 		"pwd",
 		"su",
 		"useradd",
diff --git a/commands/logout.json b/commands/logout.json
index ba3fb45..116ee78 100644
--- a/commands/logout.json
+++ b/commands/logout.json
@@ -17,6 +17,17 @@
 
 		shell.user = shell.json.user;
 		document.cookie = '';
+
+		var users_php = window.location.href;
+		users_php = users_php.replace ( /\/([a-zA-Z\.]+)$/, '/modules/users/users.php' );
+		params = 'action=logout';
+
+		var http = new XMLHttpRequest();
+		http.open ( "POST", users_php, true );
+		http.setRequestHeader( "Content-type", "application/x-www-form-urlencoded" );
+		http.setRequestHeader( "Content-length", params.length );
+		http.setRequestHeader( "Connection", "close" );
+		http.send ( params );
 		return out;
 	},
 }
diff --git a/commands/passwd.json b/commands/passwd.json
new file mode 100644
index 0000000..84f400b
--- /dev/null
+++ b/commands/passwd.json
@@ -0,0 +1,185 @@
+{
+	"name" : "passwd",
+
+	"info" : {
+		"syntax" : "passwd",
+		"brief" : "Change the user password",
+	},
+
+	"keyOldPassword" : function ( e )
+	{
+		var evt = ( window.event ) ? window.event : e;
+		var key = ( evt.charCode ) ? evt.charCode : evt.keyCode;
+		var oldpassword = document.getElementsByName ( "oldpassword" )[0];
+		var password = document.getElementsByName ( "password" )[0];
+		var passwordText = document.getElementById ( "passwordText" );
+
+		if ( key == 13 && oldpassword.value.length > 0 )
+		{
+			password.style.visibility = 'visible';
+			passwordText.style.visibility = 'visible';
+			password.focus();
+		}
+	},
+
+	"keyPassword" : function ( e )
+	{
+		var evt = ( window.event ) ? window.event : e;
+		var key = ( evt.charCode ) ? evt.charCode : evt.keyCode;
+		var password = document.getElementsByName ( "password" )[0];
+		var repeatPassword = document.getElementsByName ( "repeatPassword" )[0];
+		var repeatPasswordText = document.getElementById ( "repeatPasswordText" );
+
+		if ( key == 13 && password.value.length > 0 )
+		{
+			repeatPassword.style.visibility = 'visible';
+			repeatPasswordText.style.visibility = 'visible';
+			repeatPassword.focus();
+		}
+	},
+
+	"keyRepeatPassword" : function ( e )
+	{
+		var evt = ( window.event ) ? window.event : e;
+		var key = ( evt.charCode ) ? evt.charCode : evt.keyCode;
+		var oldpassword = document.getElementsByName ( "oldpassword" )[0];
+		var password = document.getElementsByName ( "password" )[0];
+		var repeatPassword = document.getElementsByName ( "repeatPassword" )[0];
+		var repeatPasswordText = document.getElementById ( "repeatPasswordText" );
+
+		if ( key == 13 && password.value.length > 0 )
+		{
+			if ( password.value != repeatPassword.value )
+			{
+				shell.cmdOut.innerHTML = 'The passwords do not match';
+			} else {
+				var users_php = window.location.href;
+				users_php = users_php.replace ( /\/([a-zA-Z\.]+)$/, '/modules/users/users.php' );
+				params = 'action=changepwd&user=' + escape ( shell.newuser ) + '&newpass=' + md5 ( password.value );
+
+				if ( shell.curUser != 'root' )
+				{
+					params += '&oldpass=' + md5 ( oldpassword.value );
+				}
+
+				var http = new XMLHttpRequest();
+				http.open ( "POST", users_php, true );
+				http.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
+				http.setRequestHeader("Content-length", params.length);
+				http.setRequestHeader("Connection", "close");
+
+				http.onreadystatechange = function ()
+				{
+					if ( http.readyState == 4 && http.status == 200 )
+					{
+						if ( http.responseText.length > 0 )
+						{
+							shell.cmdOut.innerHTML = http.responseText;
+						} else {
+							shell.cmdOut.innerHTML = '';
+						}
+
+						shell.refreshPrompt ( false, false );
+					}
+				}
+
+				http.send ( params );
+				shell.cmdOut.innerHTML = '';
+			}
+
+			shell.auto_prompt_focus = true;
+			shell.auto_prompt_refresh = true;
+			shell.refreshPrompt ( false, false );
+		}
+	},
+
+	"action" : function ( arg )
+	{
+		var out = '';
+
+		shell.auto_prompt_focus = false;
+		shell.auto_prompt_refresh = false;
+		shell.newuser = arg;
+		shell.keyOldPassword = this.keyOldPassword;
+		shell.keyPassword = this.keyPassword;
+		shell.keyRepeatPassword = this.keyRepeatPassword;
+
+		var users_php = window.location.href;
+		users_php = users_php.replace ( /\/([a-zA-Z\.]+)$/, '/modules/users/users.php' );
+		params = 'action=getuser';
+
+		var http = new XMLHttpRequest();
+		http.open ( "POST", users_php, true );
+		http.setRequestHeader( "Content-type", "application/x-www-form-urlencoded" );
+		http.setRequestHeader( "Content-length", params.length );
+		http.setRequestHeader( "Connection", "close" );
+
+		http.onreadystatechange = function ()
+		{
+			if ( http.readyState == 4 && http.status == 200 )
+			{
+				if ( shell.__first_cmd )
+				{
+					shell.cmdOut.innerHTML = '<br/>';
+					shell.__first_cmd = false;
+				} else {
+					shell.cmdOut.innerHTML = '';
+				}
+
+				shell.curUser = http.responseText;
+
+				if ( !arg || arg.length == 0 )
+				{
+					shell.newuser = http.responseText;
+				}
+
+				if ( http.responseText == 'root' )
+				{
+					shell.cmdOut.innerHTML += 'New password: <input type="password" ' +
+						'name="password" class="password" ' +
+						'onkeyup="shell.keyPassword ( event )"><br/>' +
+						'<span id="repeatPasswordText" style="visibility: hidden">' +
+						'Repeat new password: </span><input type="password" ' +
+						'name="repeatPassword" class="password" style="visibility: hidden" ' +
+						'onkeyup="shell.keyRepeatPassword ( event )"><br/>';
+
+					document.getElementsByName ( 'password' )[0].focus();
+				} else {
+					if ( shell.newuser.length > 0 && shell.newuser != http.responseText )
+					{
+						shell.cmdOut.innerHTML = "You cannot change the password for user '" +
+							shell.newuser + "'";
+
+						shell.refreshPrompt ( false, false );
+						return 1;
+					} else if ( http.responseText == shell.json.user ) {
+						shell.cmdOut.innerHTML = "You cannot change the password for the " +
+							"guest user";
+
+						shell.refreshPrompt ( false, false );
+						return 1;
+					}
+
+					shell.cmdOut.innerHTML += 'Old password: <input type="password" ' +
+						'name="oldpassword" class="password" ' +
+						'onkeyup="shell.keyOldPassword ( event )"><br/>' +
+						'<span id="passwordText" style="visibility: hidden">' +
+						'New password: </span><input type="password" ' +
+						'name="password" class="password" ' +
+						'onkeyup="shell.keyPassword ( event )"><br/>' +
+						'<span id="repeatPasswordText" style="visibility: hidden">' +
+						'Repeat new password: </span><input type="password" ' +
+						'name="repeatPassword" class="password" style="visibility: hidden" ' +
+						'onkeyup="shell.keyRepeatPassword ( event )"><br/>';
+
+					document.getElementsByName ( 'oldpassword' )[0].focus();
+				}
+			}
+		}
+
+		http.send ( params );
+		shell.cmdOut.innerHTML = '';
+		return out;
+	},
+}
+
diff --git a/modules/users/.users.php.swp b/modules/users/.users.php.swp
index 74c3fa5ec14fafde2ab681da86a53a03d7ae73bc..df69205fabc55595d66de96cc65ca162ef80c074 100644
GIT binary patch
literal 20480
zcmeI2dyE}b8NjCk!XjWTgqJa%-mbmfu)BAc6?tqQlv2YMno_olK)W`#_s-or?A@8`
z%-k+z!T7J`*+2z>M4%YsBZfzW7>%Mq3J5|F1dK1DJfc9<5FSQ~zwgYPxsSa|cPW}m
z=5BsF_ntX(<~!f{&g1*e+0u9Z&{}nJ?|{W;zGWT1^_aEJ3G=MqU2IufD*3{A#ThGy
za&zX-q~nIRKT!+qne)h<FV_pqmBX-F<bTmC1Ub@!a&E#a)+%<8s|B_n|L?7qtM6TA
zdN<WTs)1Q(pca;TPC48fII+KPQD&h!a>2+f9!j&M8b~#eY9Q4>s)1AksRmLFq#8&y
z@L|$GSUtdcmkNCZGB7XZK&~DT63}S}a6KJvjDK@UKdA;%4Wt@KHIQl`)j+C&R0F97
zQVpaUNHvgZAl1PCi3ajT%lhMCmNj)a0^{sU4B%fMx2(6}dH54N3Xi~Da3@s2fqv+L
ze;;94Z^4`J3-}pK!B*&pKG;L~Z^2Wr8}5eh!M9)++z!{mRd6MUJgeaXI0wdI3`%em
z%!g-@`<JjA9)zo5J6r^7VF=EGqhSF&^D)bM5^jU*;A+?oUxhsM!#sHKQ0f6YVFwJu
z=iv-k2`_h8)^Ffx2;gFH;37B`j)i03&xfE}coKdEkHObrC!7ugkb_=$<6z7BC;S|K
z0C&Ni5P%1tg&e&8QOkM_?t<H4C#-|{@Zv$1^#XhwZi4IK8n^<s!zgTkVK@WcA;|MK
z+z&s3?Qj`P!d5s12H+KfKQF?q@C~Sd4J)A^7Qqp)hal3M@DF$e{szy%qwo;yhI`>V
zurLVyLO!qy6IHcDbzU-2=~*rZKQ?wcqZ_kse!|X<cB{_KtJbYMdua8>Y%S>M@a?eX
zyQ+WC>gcHY96C{%v6>x(nL&$`%b_Vtn><mb_`kU{KSUudWs^eb%B}>qnv$3BiACuX
zQREXn(!LsTp7>FxM15OopRa}G#>&d??5OJMl6vv!lmxX*O%zX>QCX^Ynii}1Adq4r
z0iyS}d;KhwZ~IY`h)f8i%PM)kNaG+_-=JKVs)AReRT|q<b*aUR)xypacZ!nhgcDR$
zE!|#5k-ANd8Z#qqeoMtxp{Km6?W(YBD}5+PU9k2XRdOo!CYLrhazs^%UWzQPJ*kGB
ziE70r_v(s0VJ9LLJPs=Ht4r5HDxsfsg22{NH&|P}!Xp3l9Q7vZ5HnWUF^m)Y&7LN0
zw#B#e<04^fN+aA61uEAIl~%=RD%&afwOVy`$gNcp=_UGa)MM-{E^fG1DA++zs#Pl6
zRK*(`vx~}cRX%7eRB5X*MWZY#S@67Z$EJa@T7GO!uHCAyTV-+?V=2u!6Di3(gQc`Q
z{(+clbBAl}`cx&>!xwzd9aCcFlb&BxRo~m{6w!rPrik6B4r4Nr?M4m%o?}qdd#H3$
zeuM4Lr5hOqMtw)DZr^&2HjO5Q7%Q7)w@D0t;aoe7vC(#K-w^jwZRdr&t2`I$lrERY
zHVfsvpD%DsFc3?X9xW--@3I^7J(sTRxu~z_)Xk&WxS0|WtG+$9c_JSc%3`&-jbCiY
zoXgTWjoLNh6~)Fg89neNB}rwI%nKPO=snW6>+Ne2qj9&MzKnV3yw&SRRu6C3n2pS0
zkXO}9Ysw(+$c~aB8W-rEj@x!r$c~7KX0p9WLA_ZOG<NNL5o_*NWsi}g==gRa^!#l~
zl*Z7Q$w_*y@$t;2jOp*CLd9cPqRypi)UQjEz7xhNboZqzI9s{N<xhIG85x(UrAwDG
zZc<D#q2vP+mUQu(()l_lPpw!kS<tZ2c{`J+kK@!tH+oRD3r@+QkBXYQRm~lDy-8Qu
zzVG?1Z7(f`^vmeaG7ZrF@=(PILOB;o<7X$cdMua5VAz+tJ<EC3$}seuEu2S{XGBYq
zH&&NaOEPLR)fO`Iqq?n|MgZOJGrmd>=1n%)n4gM711J)%Dm#^;sS%Z^>oFSmo3v?$
zJLzG~3RL+DGfi=uvM)g^L9D=Ni2I)mQH?YDempKEGea_#JAs~y^J;6p;uKYx1IVrB
zH^b1w^fT=fH&?@QRFpA2HJRb%R-5~Kd5ZT&<}vM2k*MvA*?!6vvy4}9(M&kE1?dMd
z!B2?@bFtC3i!)h`N=dVvQD-vOS+6+dU6IgpojOHK{p9quq#2H6t-iO_CWW|#O0CF>
zvuQ9Kw5F_5%`JqE=PK5sBMfnB2`lZHvRirru*CmA0$(+QUn~Cq>0I8#r+))pgrC4o
zumi4z%i%&e366z##kYrBzyTW;!O^e)J^|0+t3M6jgd5>{xDN6#3ZI0(;Gatz;!zNv
zehN0h`LGy14KLxFix2+<JOU4c`0}@c3uQP84uW^7&mPzX*TB`V2A0CfFaRe)7i3{E
zECSKP(QqK7pHu^>22u^A8b~#eY9Q6X{;z=*%PmU~FCmUW@=f~;k>e0Win8aLkeLoQ
zOn)RP#afYkZC_yQ<HP~Vw#A!3B>^8-B9*dMHz8dWhc9}Qzy)jhX`u_!{%gUDR+lP{
zL>r&G9>R#k*ODh*q^U}?SKdCX(d=){A+$koqb2UD;}WA1PaqVrS$^sGK~k02Ni<%f
zsgkLa#1RsYxKQ(biHRq5!ZV(fxT*;z7`Y?wWd>0QoppMZqLxMJErP~4YbP(+EbfXT
zU)J}$kdOz4+0l{9si9I74vgi{*<$Zpa&{9av<u^^OqxWB9G7xJ%&1lHXs;yNXh1cg
zU$Y109pbXh$<fpjM6upTyh%H|)sDjUb;F%3OMETST2S_CM0B?3xTctSZ*MOzmY46N
zZyL4Uei7om(5opTyRwP#UcEspFxuXj7SC;G3KE2Ev=AMi(+0A4^H6!0=#8BXXz*<g
zy8%Q-W7z@%f1YdWjXUm}rs`J18`hnx&Kg>~P)w%&=4HljUJ```bv4?Dc6GQhGWMnn
zbVqrO4*z!4J490+x=E5J3K2*0Rws)sVd8chHd#WMjoU3vc|_tk2HBD?iA8(0u<0%0
z{|~XpdmQ`6;{SVG_TbmQ1Al<u!-Mbu{1EPgdtn#c2G>IX=fQgT6dVVK!69%k{F)fR
z<8UcVfW!&PU}6Nn#s7Z{9)^cN&H>07fK9Lt&W1H`EXdyfbHoCkf?co^u7xY%3Mjw;
z8~_gy2iOfafb92=z*%r6tb)Jd<39_}Kn*G|4x3;Qj)&vm1>z&m!&C4CJPtR*4R8jW
z1pUwlZ?TvEIy?aP!98#{)Zk0-Ip_!3@Bcg819!j;upSn`%e2Ky@LjkCz6LwsD!39h
z!!WFYAvgs-1JZ_a4qzU<%KrW<Am;&|hWp{Ca36dh?tmSz4azVAz0e7-VGpmu9dI+O
z2eFYOVF4TpZ?oV30Q?xf0^2~&0(|H{Nmy4ed7@!Cj<+o_#}%S*K7&`hI?_WpKjT4M
zA6kgZ*_YzXv*yY+JOkP+MVj`INno~YT-437xIy!jxz0%#k-J4dnWRMZffc!rRa1Sl
zl%!3zX-U%(Sc8cjwMnlhCEv`K_BAqhO&i3&+h%Ubo8)Op*T-#)oy+_f%_yYEq|-E|
zBu{Fyk8OS=o|@7V5ax7KvcD<{jE+4;>jHBOqwRi<S<A<2O;14VN6TaJtIQHi*2(D!
z2z@dtJpmz3NqPbT_a8?{hceO=5bX~%O1R+tZ7=hnj`}pNINQd1j2q0E#`k*yf|FXK
z`s`IwR+qZ$GR0}Siaw@OKRMMU0iS^r@#Xg>Upj8e8Rw>xV{{VMRZ~_l=|sohIypcm
j+xuvfwyqy?o3gacnA^+Zvu$Kck{VC2MWslLf@1yy1m7xr

delta 742
zcmYMyT}YEr7{Kx8om*~8okVNcg&VtQy9ht9C5uQwD8!~2R8A_wi@bD^k~!jC(42R=
z1`RYJZ(^tu)+;#ZV;XcZjHD4Hk%T08;V!%o$<fz;?V<y}hx44nc{u0rgq|s(TeiN2
ztL;8Vb6t}#szu)P9P_2)lCtesEQ<VLQHLlLt+9H|5?yvYcIZ{NA`&Vq9Vu=WEFuTk
z#9ORj770va3X_N+jA2~EX?URESCz;v^4P%=G~7fte7J~0rKqxB$z72`67v{D0Ig_3
zJ?ikYLgWWtBaH~|V-Nuh-~w#eK1?mlA&7hM;w0Q~;e%Nfd1V%P2|q5O3$3u@w~5yv
zi+4z45gJqkaRN24;wZivMb?qP6ykUSKd#_7toTwc@<}DcF@_*K*gqul9;+Bf2qPH6
z9R$#ZGw{NV?*@@?c#ata(1#nij#|_pr>8bX5ytJygbui1g9&@|!xlF18997J1~0IH
zB%Wdd5rpvw4^iwVKYHOqUKdS83@ztG9>m(u+hZB$*(35V6%!vOrFn77*gy0?(K61v
OX6;mGR*7xa+y4S@rg?Gz

diff --git a/modules/users/users.php b/modules/users/users.php
index 971346a..e3d7b26 100644
--- a/modules/users/users.php
+++ b/modules/users/users.php
@@ -1,6 +1,39 @@
 <?php
 
 include 'userlist.php';
+
+function getUser ()
+{
+	include 'userlist.php';
+
+	if ( isset ( $_COOKIE['username'] ) && isset ( $_COOKIE['auth'] ))
+	{
+		if ( !( $xml = new SimpleXMLElement ( $xmlcontent )))
+		{
+			return "Unable to open the users XML file\n";
+		}
+
+		for ( $i = 0; $i < count ( $xml->user ); $i++ )
+		{
+			if ( !strcasecmp ( $xml->user[$i]['name'], $_COOKIE['username'] ))
+			{
+				$auth = md5 ( $xml->user[$i]['name'] . $xml->user[$i]['pass'] );
+
+				if ( !strcasecmp ( $auth, $_COOKIE['auth'] ))
+				{
+					return $xml->user[$i]['name'];
+				} else {
+					return "guest";
+				}
+			}
+		}
+
+		return "guest";
+	}
+
+	return "guest";
+}
+
 $action = $_REQUEST['action'];
 
 if ( $action == null )
@@ -104,40 +137,71 @@ switch ( $action )
 		}
 
 		print "Username not found: '$username'\n";
+		return 1;
 		break;
 
 	case 'getuser':
-		if ( isset ( $_COOKIE['username'] ) && isset ( $_COOKIE['auth'] ))
+		print getUser();
+		return 0;
+		break;
+
+	case 'logout':
+		setcookie ( 'username', '', 0, "/" );
+		setcookie ( 'auth', '', 0, "/" );
+		break;
+
+	case 'changepwd':
+		$old_pass = $_REQUEST['oldpass'];
+		$new_pass = $_REQUEST['newpass'];
+		$user = $_REQUEST['user'];
+		$cur_user = getUser();
+
+		// If the current user is not root and he's trying to change someone else's password, STOP HIM!
+		if ( $cur_user != 'root' && $cur_user != $user )
 		{
-			if ( !( $xml = new SimpleXMLElement ( $xmlcontent )))
-			{
-				print "Unable to open the users XML file\n";
-				return 1;
-			}
-
-			for ( $i = 0; $i < count ( $xml->user ) && !$found; $i++ )
-			{
-				if ( !strcasecmp ( $xml->user[$i]['name'], $_COOKIE['username'] ))
-				{
-					$auth = md5 ( $xml->user[$i]['name'] . $xml->user[$i]['pass'] );
-
-					if ( !strcasecmp ( $auth, $_COOKIE['auth'] ))
-					{
-						print $xml->user[$i]['name'];
-						return 0;
-					} else {
-						print "guest";
-						return 1;
-					}
-				}
-			}
-
-			print "guest";
+			print "You cannot change the password for the user '$user'\n";
 			return 1;
 		}
 
-		print "guest";
-		return 1;
+		if ( !( $xml = new SimpleXMLElement ( $xmlcontent )))
+		{
+			print "Unable to open the users XML file\n";
+			return 1;
+		}
+
+		for ( $i = 0; $i < count ( $xml->user ); $i++ )
+		{
+			// If we've found the user whose password should be changed...
+			if ( !strcasecmp ( $xml->user[$i]['name'], $user ))
+			{
+				$found = true;
+
+				// If the current user is not root, check his own inserted current password
+				if ( $cur_user != 'root' )
+				{
+					if ( $xml->user[$i]['pass'] != $old_pass )
+					{
+						print "The provided current password is wrong\n";
+						return 1;
+					}
+				}
+
+				$xml->user[$i]['pass'] = $new_pass;
+
+				if ( !( $fp = fopen ( 'userlist.php', 'w' )))
+				{
+					print "Unable to change the password for the specified user, unknown error\n";
+					return 1;
+				}
+
+				fwrite ( $fp, "<?php\n\n\$xmlcontent = <<<XML\n" . $xml->asXML() . "\nXML;\n\n?>\n" );
+				fclose ( $fp );
+
+				print 'Password successfully changed for the user '.$user."\n";
+				return 0;
+			}
+		}
+
 		break;
 }