From 948cac6b583bb8dbd43667a2837f3e641d172844 Mon Sep 17 00:00:00 2001
From: BlackLight <blacklight@autistici.org>
Date: Sat, 25 Dec 2010 21:52:37 +0100
Subject: [PATCH] Multiuser support improved, su command

---
 blash.js                        |  40 +++++++++++++++
 blash.json                      |   7 +--
 commands/su.json                |  87 ++++++++++++++++++++++++++++++++
 commands/whoami.json            |  37 +++++++++++++-
 modules/users/.userlist.php.swp | Bin 12288 -> 0 bytes
 modules/users/.users.php.swp    | Bin 12288 -> 12288 bytes
 modules/users/userlist.php      |   2 +-
 modules/users/users.php         |  79 ++++++++++++++++++++++++++++-
 8 files changed, 246 insertions(+), 6 deletions(-)
 create mode 100644 commands/su.json
 delete mode 100644 modules/users/.userlist.php.swp

diff --git a/blash.js b/blash.js
index bc46107..30f6a74 100644
--- a/blash.js
+++ b/blash.js
@@ -13,6 +13,9 @@ var shell = null;
 function blash ()
 {
 	/************ ATTRIBUTES **************/
+	/** Current user */
+	this.user = '';
+
 	/** Object containing the parsed JSON configuration object */
 	this.json = {};
 
@@ -75,6 +78,38 @@ function blash ()
 		http.send ( null );
 	}
 
+	if ( document.cookie )
+	{
+		if ( document.cookie.match ( 'auth=' ) && document.cookie.match ( 'username=([^;]+);?' ))
+		{
+			this.user = RegExp.$1;
+			var params = 'action=getuser';
+			var users_php = window.location.href;
+			users_php = users_php.replace ( /\/([a-zA-Z\.]+)$/, '/modules/users/users.php' );
+
+			var xml = new XMLHttpRequest();
+			xml.open ( "POST", users_php, true );
+			xml.setRequestHeader ( "Content-type", "application/x-www-form-urlencoded" );
+			xml.setRequestHeader ( "Content-length", params.length );
+			xml.setRequestHeader ( "Connection", "close" );
+
+			xml.onreadystatechange = function ()
+			{
+				if ( xml.readyState == 4 && xml.status == 200 )
+				{
+					if ( xml.responseText.length > 0 )
+					{
+						shell.user = xml.responseText;
+					} else {
+						shell.user = shell.json.user;
+					}
+				}
+			}
+
+			xml.send ( params );
+		}
+	}
+
 	this.prompt.focus();
 
 	var json_config = window.location.href;
@@ -89,6 +124,11 @@ function blash ()
 		{
 			shell.json = eval ( '(' + http.responseText + ')' );
 
+			if ( shell.user == '' )
+			{
+				shell.user = shell.json.user;
+			}
+
 			shell.promptText.innerHTML = ( shell.json.promptText ) ? shell.json.promptText : "[%n@%m %W] $ ";
 			shell.promptText.innerHTML = shell.unescapePrompt ( promptText.innerHTML, shell.json.promptSequences );
 
diff --git a/blash.json b/blash.json
index 974ff6c..d8fca3c 100644
--- a/blash.json
+++ b/blash.json
@@ -24,9 +24,9 @@
 	"promptSequences" : [
 		{
 			"sequence" : "%n",
-			"default_text" : "blacklight",
+			"default_text" : "guest",
 			"text" : function ()  {
-				return shell.json.user;
+				return shell.user;
 			},
 		},
 		{
@@ -38,7 +38,7 @@
 		},
 		{
 			"sequence" : "%W",
-			"default_text" : "~",
+			"default_text" : "/",
 			"text" : function ()  {
 				return shell.path;
 			},
@@ -195,6 +195,7 @@
 		"ls",
 		"man",
 		"pwd",
+		"su",
 		"useradd",
 		"whoami",
 	],
diff --git a/commands/su.json b/commands/su.json
new file mode 100644
index 0000000..ea03868
--- /dev/null
+++ b/commands/su.json
@@ -0,0 +1,87 @@
+{
+	"name" : "su",
+
+	"info" : {
+		"syntax" : "su [username]",
+		"brief" : "Change user ID or become superuser",
+	},
+
+	"action" : function ( arg )
+	{
+		var out = '';
+
+		if ( !arg || arg.length == 0 )
+		{
+			arg = 'root';
+		}
+
+		if ( shell.__first_cmd )
+		{
+			shell.cmdOut.innerHTML = '<br/>';
+			shell.__first_cmd = false;
+		}
+
+		shell.getPassword = this.getPassword;
+		shell.newuser = arg;
+
+		shell.cmdOut.innerHTML += 'Password: <input type="password" ' +
+			'name="password" class="password" ' +
+			'onkeyup="shell.getPassword ( event )">' +
+			'<br/>';
+
+		shell.auto_prompt_focus = false;
+		shell.auto_prompt_refresh = false;
+
+		this.password = document.getElementsByName ( "password" )[0];
+		this.password.focus();
+
+		return out;
+	},
+
+	"getPassword" : function ( e )
+	{
+		var evt = ( window.event ) ? window.event : e;
+		var key = ( evt.charCode ) ? evt.charCode : evt.keyCode;
+		var password = document.getElementsByName ( "password" )[0];
+
+		if ( key == 13 && password.value.length > 0 )
+		{
+			var users_php = window.location.href;
+			users_php = users_php.replace ( /\/([a-zA-Z\.]+)$/, '/modules/users/users.php' );
+			params = 'action=login&user=' + escape ( shell.newuser ) + '&pass=' + md5 ( password.value );
+
+			var http = new XMLHttpRequest();
+			http.open ( "POST", users_php, true );
+			http.setRequestHeader ( "Content-type", "application/x-www-form-urlencoded" );
+			http.setRequestHeader ( "Content-length", params.length );
+			http.setRequestHeader ( "Connection", "close" );
+
+			http.onreadystatechange = function ()
+			{
+				if ( http.readyState == 4 && http.status == 200 )
+				{
+					if ( http.responseText.match ( /^Successfully logged in as '(.+?)'\s+(.*)\s*$/i ))
+					{
+						var user = RegExp.$1;
+						var auth = RegExp.$2;
+
+						shell.user = user;
+						shell.cmdOut.innerHTML = "Successfully logged in as '" + user + "'";
+					} else  {
+						shell.cmdOut.innerHTML = '';
+					}
+
+					shell.refreshPrompt ( false, false );
+				}
+			}
+
+			http.send ( params );
+
+			shell.cmdOut.innerHTML = '';
+			shell.auto_prompt_focus = true;
+			shell.auto_prompt_refresh = true;
+			shell.refreshPrompt ( false, false );
+		}
+	},
+}
+
diff --git a/commands/whoami.json b/commands/whoami.json
index 2e1dbf0..049a868 100644
--- a/commands/whoami.json
+++ b/commands/whoami.json
@@ -15,7 +15,42 @@
 			return "whoami: extra operand `" + arg + "'<br/>\n";
 		}
 
-		return shell.json.user + "<br/>\n";
+		if ( shell.user == shell.json.user )
+		{
+			return shell.json.user + "<br/>\n";
+		} else {
+			shell.auto_prompt_refresh = false;
+
+			var users_php = window.location.href;
+			users_php = users_php.replace ( /\/([a-zA-Z\.]+)$/, '/modules/users/users.php' );
+			params = 'action=getuser';
+
+			var http = new XMLHttpRequest();
+			http.open ( "POST", users_php, true );
+			http.setRequestHeader( "Content-type", "application/x-www-form-urlencoded" );
+			http.setRequestHeader( "Content-length", params.length );
+			http.setRequestHeader( "Connection", "close" );
+
+			http.onreadystatechange = function ()
+			{
+				if ( http.readyState == 4 && http.status == 200 )
+				{
+					if ( http.responseText.length > 0 )
+					{
+						shell.cmdOut.innerHTML = http.responseText + "\n";
+					} else {
+						shell.cmdOut.innerHTML = shell.json.user + "<br/>\n";
+					}
+
+					shell.auto_prompt_refresh = true;
+					shell.refreshPrompt ( false, false );
+				}
+			}
+
+			http.send ( params );
+			shell.cmdOut.innerHTML = '';
+			return out;
+		}
 	},
 }
 
diff --git a/modules/users/.userlist.php.swp b/modules/users/.userlist.php.swp
deleted file mode 100644
index 225fe82e97e1262078188cb7964271ddf855b2d2..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 12288
zcmeI&Jx{_w7zgl!(ZrW%+|Sb$TI4-a*i1}h6XROigH}u1aEC98U%{B@qN}4H$w~bH
zuCnNJ!9*4$uH=8ozel*<le^ytPuD&^X!B~m$Y`uF_V&8jzWK<qms7^Nk?WmBVL#Aj
zarU?fV=ae+k(RUHF)P=<1+75q)TgJPc*>&hRbUMge-ue&jg%Zto>8cDJ`K{p%VHG*
z5SS-0(!E@5nH6^n_O{sK8|$5UJFpG`2tWV=5P$##AOHafESP{!Gwh4*l%*_DGC!dS
z0|F3$00bZa0SG_<0uX=z1Rwx`1rcz4#yYEv-BQf||K>M<F@64|yi=YjPn1W>1LdA_
zM=|e@R~7^T*MI;7AOHafKmY;|fB*y_0D(moXf+u-X&>$})-WySJaz}t5w7wDPhF)P
zQLPoqm3l>b-Cn_?xl*f_y47mERId2NqAdjv60^lJlVvtq&FNB668*o_)Tt(&@Xg8b
z6wR&6LB!9gJ3dTeM-=k5;4=0SKaBg1=p60mYJw~6#=aXRF&*qmDna#jXq%T%kAAGV
P!yAnT-I^}lGM)9`J$-^S

diff --git a/modules/users/.users.php.swp b/modules/users/.users.php.swp
index 21565a08a031df67544dafea0e404665a73514e1..74c3fa5ec14fafde2ab681da86a53a03d7ae73bc 100644
GIT binary patch
literal 12288
zcmeI2U1%It6vuD<j#?G9minMK>(a^6B%3x=ZS&EV5~Q@D_9ONqNy}vB?(Ue`nQ>;e
z+cZ@xSnHemV!`TzFH+PBTET)^QSd<&!6GP95mE5LKKLL-i(mh9=VNEnO^F{!DR;_m
zvpaL{z32SzIcGNMO!PdkZkXTG-OF&?#MsI0w+){-%-HD%8Jn<mW74+Dm5?sZe$*`|
z6n?c9irH=G$|H>li<L0+OuU+|5fpJgs1&QNS+hk@tOdf4U%S1Eci}nJRi%JZU=9k@
z!cy10^I7k*r9F4$+W9RvkIZ3^GEoXB1(X6x0i}RaKq;UUPzopoE+qv*Zyx&-0bK^3
z0rO(;Lmf&1rGQdEDWDWk3Md7X0!jg;fKosypcGIFTp|kSCSx7=rT@U?2nhfGPk#eA
zcOzrJf^WeG;C=8iI0{|>N5FI75I6|-f^Fb#upG<-zu&;vPv8vr5xfPCgI!<~7zP`_
zx%rHp1t-Dl;23xngunx<K`$tRZt&anjQs-M1t-8EFa<*30T<i{7J?tH!(8AMFb(Qp
z1?U7FKm(s%%h)^MZLkB}4>p3;;7;&I8)5+;fe*n6@FqA89tG22F<1l^fLp=oYZ&_y
z90f<fVel;20Y<>>U;+5*YQ{bXhryFz8Y~BAuVU;I@G*D_902=34Lk%quokQYD?kVM
z?n=hK0WX0Ufd?kQI2Z$WfJNZc6_^`50S<!AU_H>lLeK_&MlO60z6M`_Q{Xf39(V)1
z29AN}!PDRnI0zmGj{(Z19bhLI250DxOBchjYLKyqSzFtLFZ9Viyzxa?^BumF-g`bC
zW8t}SO$1@C4@$I=X_H9{o5(1BWyt~*Z1VoXi_OvOpZgTMHX{%OHX~k~LBw3xf#A~=
zIF4AJ9+HQSXh?o<)$SUkr*ua1*7&IA=vASO$2Rd$tHe8adl34D9tflA;Zt6(g_Ta8
z-@SI@#`WulMm74Zjq^f*w8kL~_yDh(%gMauD!lu=3!WYXG)?3{w0^7QTh5pDha!q%
zA)nxooU7#e<c$T#div;RKR4VOG9~LGFYv{Sd3(NuD<)YjS;C{RWDX@l$~;SC%#Aqu
zge`dJa@P|M4=aMpN1yoi;SIcG*<#E=9wvT7Aw`SA7f00j7OU#n0@g#esEX7j!^PuR
z_*9TlP!Mvg6$C<hoo+xjVDkTbi^dkU(MEEujDmqo+Dh89G_&JW8i@tujvI0*#Y(Q_
z(^X_R7$zl&bctRQd6GPfr`u993=ssSnr%;U+bx%c$t{QLL3Yw8t&*uB7J@WfchVBr
zpeV(#$5HC_bn;v=mt;z_W$GoYXUUWq!~c_XZ7#TMJ3=V24%>X!DRWBmy6c<V^W8m`
z2`wly$?dEhNy<dI8*O}Z70w7QsvZQL&Y#Kszf(qufKlyG*8RK6k*U!nNRnl9ESog(
z+y8FSBstn@^{sK0QlsF8?r_&Zc2ddd$W5c7`?`ULAp^=(s%Sbxb*GK$UHjH_?d<7V
zv3p#Lw<&ee^F?`gRS%5{Wo>bESH`%gVRy3XChnP(<GGw{eCbRSY--$&K7s0?+HUM`
zax&_>jq?L&&6|fdjSOwsI;ur!(TAlPvo#se8nWp}eF5cZIW4<_HbN<y)4J1%x-}kT
zOItUQ&7HjBLQ&K5g%P^`6erQp8goTDU(62AjpdShFB!IrwuG2VUR2kmx^IQ?8I*hf
zDm+0t=HMSyb<!CJcz=IC`X;7HZzy_z6CDM7#_V|8N268^k_i+}G;fs>jXsV@<faFn
zFszb=8YP)JdCi%0+`7Ys@4NoYy{8?6_XDVBx(#6eX^?FNAwB(y&DZLh?B%o>X!~@v
zYY<DV2}9qSz*Dz0hEyWkSS|{S3}u?i44HkX-0P+eAoqRNrQ|)bDJQe`2qbEt@NjL#
zvdttS1kunjYWz)VChd+YtXV*=+xWs}PI0jpssyosQH%RuT2%Iqei8Sj^v;m>ax0Mc
zVx8~NZOh~pJZ3#J{bp}H<FfOla~1gh{T%laTPA6vZxlE>O7Ai*zwgYdj_R9HW2K_Z
z^i32Ay5=+s>Q>bJ^SFIju0v`<%SMZzW-`;0%L8#|hgo_m+rOh(Xd%ln?3#(MZcSYU
Jl_*;y`wNS9Be(zn

delta 277
zcmZojXh;xGG6?hZRWR2xW&i>K28K<KM1807Fl`k7%FpPsnOERDKd&Sw1A{FWMA~Jt
zph9{5CSC@Hr9iw8h!+5H1`wwJu?Y~X1F<p?D*^Eb9tMUtK)ex%*8p)f5a$AM1`wwJ
zaWW8F12H!c-{uCI1;q1#I3I|!fmj!a6@XX<h^2w}5YQDHxESOa)&m*7K<om<PC)Dk
z#CAXoa;7%dW=593918Y!3=Fjl4E78V1}A4yQEFl~$eR$6&Hh^b%-rfK1&PJQ<@rS^
L>YMNCDl-89SAs6A

diff --git a/modules/users/userlist.php b/modules/users/userlist.php
index 29108df..5111870 100644
--- a/modules/users/userlist.php
+++ b/modules/users/userlist.php
@@ -3,7 +3,7 @@
 $xmlcontent = <<<XML
 <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
 <users>
-</users>
+<user name="blacklight" pass="26cc112004f6e530291f74d193a0c0b4" home="/home/blacklight"/></users>
 
 XML;
 
diff --git a/modules/users/users.php b/modules/users/users.php
index e381134..971346a 100644
--- a/modules/users/users.php
+++ b/modules/users/users.php
@@ -27,7 +27,7 @@ switch ( $action )
 
 		if ( preg_match ( '/[^a-zA-Z0-9]/', $password ) || strlen ( $password ) != 32 )
 		{
-			print "The provided password '$password' is not a valid hash\n";
+			print "The provided password is not a valid hash\n";
 			return 1;
 		}
 
@@ -62,6 +62,83 @@ switch ( $action )
 
 		print 'User "'.$username.' successfully added, home directory set to "/home/'.$username."\"\n";
 		break;
+
+	case 'login':
+		$username = $_REQUEST['user'];
+		$password = $_REQUEST['pass'];
+
+		if ( !( $username != null && $password != null ))
+		{
+			die ("");
+		}
+
+		if ( preg_match ( '/[^a-zA-Z0-9_]/', $username ))
+		{
+			print "The username can only contain characters in the charset '[a-zA-Z0-9_]'\n";
+			return 1;
+		}
+
+		if ( !( $xml = new SimpleXMLElement ( $xmlcontent )))
+		{
+			print "Unable to open the users XML file\n";
+			return 1;
+		}
+
+		for ( $i = 0; $i < count ( $xml->user ) && !$found; $i++ )
+		{
+			if ( !strcasecmp ( $xml->user[$i]['name'], $username ))
+			{
+				if ( strcasecmp ( $xml->user[$i]['pass'], $password ))
+				{
+					print "Wrong password provided for user '$username'\n";
+					return 1;
+				} else {
+					$auth = md5 ( $xml->user[$i]['name'] . $xml->user[$i]['pass'] );
+					setcookie ( 'username', $xml->user[$i]['name'], 0, "/" );
+					setcookie ( 'auth', $auth, 0, "/" );
+
+					print "Successfully logged in as '$username' $auth\n";
+					return 0;
+				}
+			}
+		}
+
+		print "Username not found: '$username'\n";
+		break;
+
+	case 'getuser':
+		if ( isset ( $_COOKIE['username'] ) && isset ( $_COOKIE['auth'] ))
+		{
+			if ( !( $xml = new SimpleXMLElement ( $xmlcontent )))
+			{
+				print "Unable to open the users XML file\n";
+				return 1;
+			}
+
+			for ( $i = 0; $i < count ( $xml->user ) && !$found; $i++ )
+			{
+				if ( !strcasecmp ( $xml->user[$i]['name'], $_COOKIE['username'] ))
+				{
+					$auth = md5 ( $xml->user[$i]['name'] . $xml->user[$i]['pass'] );
+
+					if ( !strcasecmp ( $auth, $_COOKIE['auth'] ))
+					{
+						print $xml->user[$i]['name'];
+						return 0;
+					} else {
+						print "guest";
+						return 1;
+					}
+				}
+			}
+
+			print "guest";
+			return 1;
+		}
+
+		print "guest";
+		return 1;
+		break;
 }
 
 ?>