From 403363ae69f7523eb05c34b969d03b29b9f85b12 Mon Sep 17 00:00:00 2001
From: BlackLight <blacklight@autistici.org>
Date: Sun, 26 Dec 2010 18:08:43 +0100
Subject: [PATCH] passwd command added
---
blash.json | 1 +
commands/logout.json | 11 +++
commands/passwd.json | 185 +++++++++++++++++++++++++++++++++++
modules/users/.users.php.swp | Bin 12288 -> 20480 bytes
modules/users/users.php | 118 +++++++++++++++++-----
5 files changed, 288 insertions(+), 27 deletions(-)
create mode 100644 commands/passwd.json
diff --git a/blash.json b/blash.json
index d4e4909..a3accad 100644
--- a/blash.json
+++ b/blash.json
@@ -195,6 +195,7 @@
"logout",
"ls",
"man",
+ "passwd",
"pwd",
"su",
"useradd",
diff --git a/commands/logout.json b/commands/logout.json
index ba3fb45..116ee78 100644
--- a/commands/logout.json
+++ b/commands/logout.json
@@ -17,6 +17,17 @@
shell.user = shell.json.user;
document.cookie = '';
+
+ var users_php = window.location.href;
+ users_php = users_php.replace ( /\/([a-zA-Z\.]+)$/, '/modules/users/users.php' );
+ params = 'action=logout';
+
+ var http = new XMLHttpRequest();
+ http.open ( "POST", users_php, true );
+ http.setRequestHeader( "Content-type", "application/x-www-form-urlencoded" );
+ http.setRequestHeader( "Content-length", params.length );
+ http.setRequestHeader( "Connection", "close" );
+ http.send ( params );
return out;
},
}
diff --git a/commands/passwd.json b/commands/passwd.json
new file mode 100644
index 0000000..84f400b
--- /dev/null
+++ b/commands/passwd.json
@@ -0,0 +1,185 @@
+{
+ "name" : "passwd",
+
+ "info" : {
+ "syntax" : "passwd",
+ "brief" : "Change the user password",
+ },
+
+ "keyOldPassword" : function ( e )
+ {
+ var evt = ( window.event ) ? window.event : e;
+ var key = ( evt.charCode ) ? evt.charCode : evt.keyCode;
+ var oldpassword = document.getElementsByName ( "oldpassword" )[0];
+ var password = document.getElementsByName ( "password" )[0];
+ var passwordText = document.getElementById ( "passwordText" );
+
+ if ( key == 13 && oldpassword.value.length > 0 )
+ {
+ password.style.visibility = 'visible';
+ passwordText.style.visibility = 'visible';
+ password.focus();
+ }
+ },
+
+ "keyPassword" : function ( e )
+ {
+ var evt = ( window.event ) ? window.event : e;
+ var key = ( evt.charCode ) ? evt.charCode : evt.keyCode;
+ var password = document.getElementsByName ( "password" )[0];
+ var repeatPassword = document.getElementsByName ( "repeatPassword" )[0];
+ var repeatPasswordText = document.getElementById ( "repeatPasswordText" );
+
+ if ( key == 13 && password.value.length > 0 )
+ {
+ repeatPassword.style.visibility = 'visible';
+ repeatPasswordText.style.visibility = 'visible';
+ repeatPassword.focus();
+ }
+ },
+
+ "keyRepeatPassword" : function ( e )
+ {
+ var evt = ( window.event ) ? window.event : e;
+ var key = ( evt.charCode ) ? evt.charCode : evt.keyCode;
+ var oldpassword = document.getElementsByName ( "oldpassword" )[0];
+ var password = document.getElementsByName ( "password" )[0];
+ var repeatPassword = document.getElementsByName ( "repeatPassword" )[0];
+ var repeatPasswordText = document.getElementById ( "repeatPasswordText" );
+
+ if ( key == 13 && password.value.length > 0 )
+ {
+ if ( password.value != repeatPassword.value )
+ {
+ shell.cmdOut.innerHTML = 'The passwords do not match';
+ } else {
+ var users_php = window.location.href;
+ users_php = users_php.replace ( /\/([a-zA-Z\.]+)$/, '/modules/users/users.php' );
+ params = 'action=changepwd&user=' + escape ( shell.newuser ) + '&newpass=' + md5 ( password.value );
+
+ if ( shell.curUser != 'root' )
+ {
+ params += '&oldpass=' + md5 ( oldpassword.value );
+ }
+
+ var http = new XMLHttpRequest();
+ http.open ( "POST", users_php, true );
+ http.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
+ http.setRequestHeader("Content-length", params.length);
+ http.setRequestHeader("Connection", "close");
+
+ http.onreadystatechange = function ()
+ {
+ if ( http.readyState == 4 && http.status == 200 )
+ {
+ if ( http.responseText.length > 0 )
+ {
+ shell.cmdOut.innerHTML = http.responseText;
+ } else {
+ shell.cmdOut.innerHTML = '';
+ }
+
+ shell.refreshPrompt ( false, false );
+ }
+ }
+
+ http.send ( params );
+ shell.cmdOut.innerHTML = '';
+ }
+
+ shell.auto_prompt_focus = true;
+ shell.auto_prompt_refresh = true;
+ shell.refreshPrompt ( false, false );
+ }
+ },
+
+ "action" : function ( arg )
+ {
+ var out = '';
+
+ shell.auto_prompt_focus = false;
+ shell.auto_prompt_refresh = false;
+ shell.newuser = arg;
+ shell.keyOldPassword = this.keyOldPassword;
+ shell.keyPassword = this.keyPassword;
+ shell.keyRepeatPassword = this.keyRepeatPassword;
+
+ var users_php = window.location.href;
+ users_php = users_php.replace ( /\/([a-zA-Z\.]+)$/, '/modules/users/users.php' );
+ params = 'action=getuser';
+
+ var http = new XMLHttpRequest();
+ http.open ( "POST", users_php, true );
+ http.setRequestHeader( "Content-type", "application/x-www-form-urlencoded" );
+ http.setRequestHeader( "Content-length", params.length );
+ http.setRequestHeader( "Connection", "close" );
+
+ http.onreadystatechange = function ()
+ {
+ if ( http.readyState == 4 && http.status == 200 )
+ {
+ if ( shell.__first_cmd )
+ {
+ shell.cmdOut.innerHTML = '<br/>';
+ shell.__first_cmd = false;
+ } else {
+ shell.cmdOut.innerHTML = '';
+ }
+
+ shell.curUser = http.responseText;
+
+ if ( !arg || arg.length == 0 )
+ {
+ shell.newuser = http.responseText;
+ }
+
+ if ( http.responseText == 'root' )
+ {
+ shell.cmdOut.innerHTML += 'New password: <input type="password" ' +
+ 'name="password" class="password" ' +
+ 'onkeyup="shell.keyPassword ( event )"><br/>' +
+ '<span id="repeatPasswordText" style="visibility: hidden">' +
+ 'Repeat new password: </span><input type="password" ' +
+ 'name="repeatPassword" class="password" style="visibility: hidden" ' +
+ 'onkeyup="shell.keyRepeatPassword ( event )"><br/>';
+
+ document.getElementsByName ( 'password' )[0].focus();
+ } else {
+ if ( shell.newuser.length > 0 && shell.newuser != http.responseText )
+ {
+ shell.cmdOut.innerHTML = "You cannot change the password for user '" +
+ shell.newuser + "'";
+
+ shell.refreshPrompt ( false, false );
+ return 1;
+ } else if ( http.responseText == shell.json.user ) {
+ shell.cmdOut.innerHTML = "You cannot change the password for the " +
+ "guest user";
+
+ shell.refreshPrompt ( false, false );
+ return 1;
+ }
+
+ shell.cmdOut.innerHTML += 'Old password: <input type="password" ' +
+ 'name="oldpassword" class="password" ' +
+ 'onkeyup="shell.keyOldPassword ( event )"><br/>' +
+ '<span id="passwordText" style="visibility: hidden">' +
+ 'New password: </span><input type="password" ' +
+ 'name="password" class="password" ' +
+ 'onkeyup="shell.keyPassword ( event )"><br/>' +
+ '<span id="repeatPasswordText" style="visibility: hidden">' +
+ 'Repeat new password: </span><input type="password" ' +
+ 'name="repeatPassword" class="password" style="visibility: hidden" ' +
+ 'onkeyup="shell.keyRepeatPassword ( event )"><br/>';
+
+ document.getElementsByName ( 'oldpassword' )[0].focus();
+ }
+ }
+ }
+
+ http.send ( params );
+ shell.cmdOut.innerHTML = '';
+ return out;
+ },
+}
+
diff --git a/modules/users/.users.php.swp b/modules/users/.users.php.swp
index 74c3fa5ec14fafde2ab681da86a53a03d7ae73bc..df69205fabc55595d66de96cc65ca162ef80c074 100644
GIT binary patch
delta 3700
zcmZojXjs4~o@5Z_>8oI_XUxFBz#zcDAXO&ro2kvXQT#Q(J~P9A1_lNu1_lNt1_lO3
zC}v?`V919k28%H>FfceUFfh#6EGTfEf06=A{e2z=hH74j5|GYc{0s~~`571<@-r|z
z;Adbs!_UBQil2dDBR>Pf27U&H9DW9dOnwFiLw*JZU490JKYR=fKlm6JzVk6K9OYwR
zILODqP|e4{P{zl=V93Y7V8F+~@Q;^);Ri1R!xdfzhU2^p44Zfv7}oGIFf8X~sApKr
z%fPURmw{mdF9Sm_F9SmlFT_EvybKHxybKIJybKK4ybKKKybKI!ybKH?ybKHiybKIC
zco-N?^Dr<R=V4$t#>2qS$HTzT#lyf5#lyhh%frCn$-}_l!Nb5H#>2oM#KXXFotuH-
z5;p_GLT(0z$=nPKecTKTUEK8y44vEz42j$f42Ikc42;|i49B<_7>;r=FihoQV3^3o
zz!1#Ez~IKkz~IEiz~IQm!0>{Tf#Dh_1H)BL28Loz28Jw728K*d28Jk31_nz`1_lXE
z1_p6X28PER3=H=<7#J>bFfg3sU|=}Q!N4$+gMncx2Lpox2LppK2LpqCJqH7W9tQ)%
zH+BYwPwWf~hu9eywz4xYY-DF(*uc)fP|VK2kk8J*V8YJ8pwG_0@P&<m;T;<T!$vj+
zhDB@)3{%+{82s577zEfD7@n~*Fg#^tU|7k@z%YxIfnf?O14BP614B0}149=p14Aq;
z149Ta14A$?1A`MQ1H)ey28Q~dEDQ_>SQr>~voJ7pu`n>yurM%`voJ7}u`n=LurM$f
zvoJ8cVP;@>#>~L5fSG||J~IPD4l@HoDl-FvBQpboAu|JmGBX1MA2S2PKPCo-?@SB~
zADI{!-Y_vRyk=rxxXHx8aE6J2;RF){!*M1ChHXp?46B$J7!-?3ijotHCqGir-aJ9M
zgR7ns3n)r0DJ{xVP)aXNEiO^AW?<l~W#Ht*6a@=|2#^#Oc>=mPIXP=5*Q@ceLoJ$I
zsV+U)KtpWuDHVmu*(&mryH#8!@76J#{8?3Wa<GQ}WK~^>$s0A2nK`Q&CO=ViVPfE%
z{7_#)tePRMG%vX%Ge1uuJ+&mXIJHPYLz7|h1AT@1#1sYwK28P(B`!!-17*VR{0t1=
z_!$_U@iQ>&<7Z%)#m~Snk)MHK0zU&oEk6T8BtHX#DL(^)1V01Ae^55!V_=xW$H0)u
z$H0)v$H1V>$G{-Q$G{-O$G{-S$G~utmx19bF9X9;UIvC4ybKIeco`Tb^D;0bg0fjG
zF9U-#F9X999tH+bo<9T4KGi%73^6<m3}HMB3~D?K4Dvh-49~eC+2sN^1H&n928NT+
zY_ouyfgz8ZfgyvNfkA|ufq|8qf#E+F1H(Tq28P943=I8T3=Dl-3=Cde3=B403=HO6
z3=GCx3=BqGG7JowTnr5ATnr3qTnr4#T#%3u<6>Z7;o8i|vV|kb-j0C*gh6qYRFs;S
z4T^41oN_`4&Vr)Myb=ZVfW+eB^8BI{h2qlW<Wx*8a8nrU;Y?1jfs=D}#N!OC89)gQ
zt6{~(X{9+il?urjiFxU%DGF)%MG7SusS2f_m{iwO0nvI&F?ryW$jQl>mYkDcoT{Lq
zppsUgpb0W~@;R*-5txHv3DMA+fpc<!s;D@`T(FS^FkhtQ7flY()@0-4tY+ZkoLsGK
z%*4q#IZ<7l*H%F#FSR@#q|%yU@-=1c$tQGq^^!}Aic<4R6hOk@V8|?1C@;#-O9wj(
z<TbECoSdAQX$l&XH>ya~E7~fk<maS-O;XSVdmm&MM1_J%a%oXK$Y%<QwhHP+`S~U4
zP(}Ls3Z7|T*TO6XE6Xfa$jdKL0IAebNX|%2&Q{3CELO-b&r`_ED^4vcNlj6JX#lxW
z9OO&}u(c{_`K5U&3bqO*MWv~ex9M1UDQJQn1hJ|-RlO`#0ip&T?&TSvFa{X}GDo2}
zBfm5!MIk8_7E5}1dJLezn=G%YIayVAaeZWdsX}sM9>|S20vzlouwT@{ajFgtJ5Z>A
zLJez}sHvd}gLQ&K3gUQ>gF)V|2gMH9aHN1zNX$!7$VgQ$RwyZ|%*;zyD9MMqU!gcZ
zH#I*mRUtK}7$gt#sE$H#h<|{Bho`S1DC`iiWD6@>G{7ki;tX2_mG~gnz);uVkostK
zknQTRp!5h&K?+DJqSf<K%R%-))xgsRikkeK6u6q?#Nt#1bx3Fyl&7d$ft&=+Qy@!<
zQ%jQb^RqKSIYB*f@_jY7dUbUj1p^%gC4D7GzCcj|a$a6yZmPPD0-8FAJvsU5`K2W&
zmVk;+PZkCSNj6CF32M{)<7Z&_%g?}YkDr0zE<XdqF@6SyBm4{uJNX&v8MgB?Fl^&z
zU|7u0z_5^?fnf?i14A)C149r$14AG`1A{C-1A`<#0|O5~0|N&?0|Prh1H)xL28Q!|
z3=CC#3=Fx@ayA30jJ?Inz;KqAf#D=C1H%buiv`qLiQ#2n@aJV<@aAP;@Zx1)kl?L{
zG*fQ!Ffd%<VPIIy!@w|=hk;=N4+BFF4+BFt4+BFo4+DcS4+8@;4+FyqZU%<q+zbrU
zp-q!eZUzPqZUzPyZUzQtZU%-|Tnr31xEL6&b1^WKaxpOEa4|4sb1^W)a4|4gb1^VT
zaWODRaxpMG<z!%Z$jQKPrJj?4;Q}WE!+A~yhS{794AVIo7@Rm67)&`C7z{ZX7z{WW
z7=CatFnr-)U^v3Tz_6WzfnhTT1H&c`28L1&28Kco1_m<@1_ncD%j5$)1H)!^28Jc<
z3=GrR85jcD85o4v85mx$F)%!5V_;a##=tO#je%hr8w0~cHU@_JUN#1X9ySJscs2%x
zU^WH@FE$1SPc{Yy3pNG@RW?XGf|@LhYzz!<Ss57KutJ(HS6LYt4zMyX>}O?Q*v`tp
zu#T01VF@b(!$ejFhDufjh748)hEP@p20c~=1{GEYhIcFs3~yN&7?!XwFwACQU<hPk
zVDMyNP-YNjVPFtqVPN25VPN>l%)oGjnSo&sGXp~dGXp~<xY;ss<KudGTLN4wK<Wf&
z&8?vl@9gjI?dhrsu7~vX6+mr^qC5pqY0jyyuK-aEX)!>}fl_%2L>gBQYTUrggK37*
z#2NxN149!`fD^{RW?VgPKf<)ZXl&YX>t^6Y4<RLMxJht^K|QGSfP^DCp{|72bGTgx
zcR;-XoQXfiuqeY2!Vt(S0hiQR#9>193J3?l#IXAbCJT!OC?Bh0s2nU6!quRO7iH%0
eKwMayTBM<AJy~5%ZgRG=@Ma&ishrFVwG05DMnA~_
delta 742
zcmZozz}S!=o@5Z_>8oI_XUxFBz#zcDurET)cgJ*wjpDEQ`577hGcYhPF)%PpWME)m
z+-xXto`2#2g-Hr5^%{%}3=PZ>Eg;EX{0s~~`571<@-r|T;%8tu$j`vAil2dD1wRAB
zTz&?I+58L)v-lYp+W8q6TKO3mD)<=~!uc5(%=j4?O!*lY82K3({_-&}eBfhXc*DoQ
z@S2Z-VLKlK!)87PhB!V3hCn_B246k~1|L2KhF`o4^$g#585s8QGB9l9Wnfs#%fPUP
zmw};#mw};xmw~~7mw~~Umw`c_mw`c#mx19A4+Fyw9tMWJJPZswco-Pkc^DWfc^DW<
zco-N8co-P+c^DYnc^DYPc^DX;b2Bik;bvf1&CS42&CS42&dtDJ$<4r^!_B~;!Og&+
z&dtDZj;o%5VGkDr!)`7HhDa_3h5#-G27fLF1_v$%26-+9hJTz441YNp7*29BFdXG%
zVA#RQz_5jrfnhTz14BJ014A_@1A`hT1A`<d1A{0h1A_=B1H&B-28J6P3=Atc7#L=A
zFfdH#U|^WW!N3s7!N3s8!N4HJ!N4HO!N72foq^#>Jv#%#ban=Y4t55HYIX(&Q+5W1
zZ)^+<XV@4RPO~vE^s_NAG_Wx+RIxEIl(I1}6tXce6tFQcII}S@Sg|oMSh6uNXs|Ib
zJZ5EJxX;SKu#A;~VIeC6LjfxTLlP?kLo6!;LkueegB&XZgCr{h!zC65hBGV-3~ek7
z46Q5-3~50u3=G~Z3=HZl3=HBd3=Ets3=ChG85o{0Gcep`W?;C^%)oGonStRVGXukZ
zW(I~$%nS_cm>C$>GBYsDVP;^Mz|6qV&dk8j%FMvf!py+X$P7tOk<1JXQOpbszRU~^
zZ<r=-Y-hE%V_>MA?CB;ydB2j45CfRYz{v?pu3$DuiX*)gA_3xT-mg^5wb{h)B;(|V
G`tks8rg?Gz
diff --git a/modules/users/users.php b/modules/users/users.php
index 971346a..e3d7b26 100644
--- a/modules/users/users.php
+++ b/modules/users/users.php
@@ -1,6 +1,39 @@
<?php
include 'userlist.php';
+
+function getUser ()
+{
+ include 'userlist.php';
+
+ if ( isset ( $_COOKIE['username'] ) && isset ( $_COOKIE['auth'] ))
+ {
+ if ( !( $xml = new SimpleXMLElement ( $xmlcontent )))
+ {
+ return "Unable to open the users XML file\n";
+ }
+
+ for ( $i = 0; $i < count ( $xml->user ); $i++ )
+ {
+ if ( !strcasecmp ( $xml->user[$i]['name'], $_COOKIE['username'] ))
+ {
+ $auth = md5 ( $xml->user[$i]['name'] . $xml->user[$i]['pass'] );
+
+ if ( !strcasecmp ( $auth, $_COOKIE['auth'] ))
+ {
+ return $xml->user[$i]['name'];
+ } else {
+ return "guest";
+ }
+ }
+ }
+
+ return "guest";
+ }
+
+ return "guest";
+}
+
$action = $_REQUEST['action'];
if ( $action == null )
@@ -104,40 +137,71 @@ switch ( $action )
}
print "Username not found: '$username'\n";
+ return 1;
break;
case 'getuser':
- if ( isset ( $_COOKIE['username'] ) && isset ( $_COOKIE['auth'] ))
+ print getUser();
+ return 0;
+ break;
+
+ case 'logout':
+ setcookie ( 'username', '', 0, "/" );
+ setcookie ( 'auth', '', 0, "/" );
+ break;
+
+ case 'changepwd':
+ $old_pass = $_REQUEST['oldpass'];
+ $new_pass = $_REQUEST['newpass'];
+ $user = $_REQUEST['user'];
+ $cur_user = getUser();
+
+ // If the current user is not root and he's trying to change someone else's password, STOP HIM!
+ if ( $cur_user != 'root' && $cur_user != $user )
{
- if ( !( $xml = new SimpleXMLElement ( $xmlcontent )))
- {
- print "Unable to open the users XML file\n";
- return 1;
- }
-
- for ( $i = 0; $i < count ( $xml->user ) && !$found; $i++ )
- {
- if ( !strcasecmp ( $xml->user[$i]['name'], $_COOKIE['username'] ))
- {
- $auth = md5 ( $xml->user[$i]['name'] . $xml->user[$i]['pass'] );
-
- if ( !strcasecmp ( $auth, $_COOKIE['auth'] ))
- {
- print $xml->user[$i]['name'];
- return 0;
- } else {
- print "guest";
- return 1;
- }
- }
- }
-
- print "guest";
+ print "You cannot change the password for the user '$user'\n";
return 1;
}
- print "guest";
- return 1;
+ if ( !( $xml = new SimpleXMLElement ( $xmlcontent )))
+ {
+ print "Unable to open the users XML file\n";
+ return 1;
+ }
+
+ for ( $i = 0; $i < count ( $xml->user ); $i++ )
+ {
+ // If we've found the user whose password should be changed...
+ if ( !strcasecmp ( $xml->user[$i]['name'], $user ))
+ {
+ $found = true;
+
+ // If the current user is not root, check his own inserted current password
+ if ( $cur_user != 'root' )
+ {
+ if ( $xml->user[$i]['pass'] != $old_pass )
+ {
+ print "The provided current password is wrong\n";
+ return 1;
+ }
+ }
+
+ $xml->user[$i]['pass'] = $new_pass;
+
+ if ( !( $fp = fopen ( 'userlist.php', 'w' )))
+ {
+ print "Unable to change the password for the specified user, unknown error\n";
+ return 1;
+ }
+
+ fwrite ( $fp, "<?php\n\n\$xmlcontent = <<<XML\n" . $xml->asXML() . "\nXML;\n\n?>\n" );
+ fclose ( $fp );
+
+ print 'Password successfully changed for the user '.$user."\n";
+ return 0;
+ }
+ }
+
break;
}