1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
|
##############################################################################
# The Faq-O-Matic is Copyright 1997 by Jon Howell, all rights reserved. #
# #
# This program is free software; you can redistribute it and/or #
# modify it under the terms of the GNU General Public License #
# as published by the Free Software Foundation; either version 2 #
# of the License, or (at your option) any later version. #
# #
# This program is distributed in the hope that it will be useful, #
# but WITHOUT ANY WARRANTY; without even the implied warranty of #
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
# GNU General Public License for more details. #
# #
# You should have received a copy of the GNU General Public License #
# along with this program; if not, write to the Free Software #
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.#
# #
# Jon Howell can be contacted at: #
# 6211 Sudikoff Lab, Dartmouth College #
# Hanover, NH 03755-3510 #
# jonh@cs.dartmouth.edu #
# #
# An electronic copy of the GPL is available at: #
# http://www.gnu.org/copyleft/gpl.html #
# #
##############################################################################
use strict;
package FAQ::OMatic::submitPass;
use CGI;
use FAQ::OMatic::Item;
use FAQ::OMatic;
use FAQ::OMatic::Auth;
use FAQ::OMatic::I18N;
sub main {
my $cgi = FAQ::OMatic::dispatch::cgi();
my $params = FAQ::OMatic::getParams($cgi);
if ($params->{'_fromChangePass'} or $params->{'_badSecret'}) {
# this is the user coming from changePass; send the secret
# in email, and put up a page explaining what to do.
my $id = $params->{'_id'} || '';
if (not FAQ::OMatic::validEmail($id)) {
FAQ::OMatic::gripe('error', gettext("An email address must look like 'name\@some.domain'.")
."\n"
.gettexta("If yours (%0) does and I keep rejecting it, please mail the administrator of this FAQ at %1 and tell him or her what's happening.",
$id, $FAQ::OMatic::Config::adminEmail));
}
my $pass = $params->{'_pass'} || '';
# THANKS to Mark Shaw <mshaw@dal.asp.ti.com> for catching this
# potential uninitialized value error.
if (not ($pass =~ m/^\S*$/)) {
FAQ::OMatic::gripe('error', gettext("Your password may not contain spaces or carriage returns."));
}
# put the secret in the IDfile, but don't put in the new
# Only create a secret if user is coming straight from changePass.
# Don't create ANOTHER secret if this is just the user
# looping back around after entering a bad secret.
if ($params->{'_fromChangePass'}) {
my $secret = FAQ::OMatic::Entropy::gatherRandomString();
my $restart = $params->{'_restart'} ||
FAQ::OMatic::makeAref('faq', {}, 'url', 0, 'blastAll');
# keep passwords out of the GET request fired up
# when restarting after an authentication.
# THANKS to
# Cream-puff Casper Milquetoast <doughnut@doughnut.net>
# for reporting this issue.
my $saveurl = FAQ::OMatic::makeAref($restart,
{'auth'=>'','pass'=>'','id'=>'',
'_id'=>'', '_pass'=>''},
'url', 'saveTransients');
# password yet, or we'll have circumvented the whole secret
# thing.
my ($idf,$passf,$secretf,$saveurlf,$oldwaitpassf,@rest)=FAQ::OMatic::Auth::readIDfile($id);
if ((not defined $passf)
or (not defined $idf)
or ($idf ne $id)) {
$passf = '__INVALID__';
}
my $cryptwaitpass = FAQ::OMatic::Auth::cryptPass($pass);
# we'll store the crypted version to install later
FAQ::OMatic::Auth::writeIDfile($id,$passf,$secret,$saveurl,$cryptwaitpass,@rest);
# mail the user the secret url
my $secreturl = FAQ::OMatic::makeAref('submitPass',
{ '_id'=>$id,
'_secret'=>$secret },
'url', 0, 'blastAll');
my $subj = gettext("Your Faq-O-Matic authentication secret");
my $mesg = gettext("To validate your Faq-O-Matic password, you may either enter this secret into the Validation form:")."\n\n";
$mesg .= gettext("Secret:")." ".$secret."\n\n";
$mesg .= gettext("Or access the following URL. Be careful when you copy and paste the URL that the line-break doesn't cut the URL short.");
$mesg .= "\n\n$secreturl\n\n".gettext("Thank you for using Faq-O-Matic.")."\n\n";
$mesg .= gettexta("(Note: if you did not sign up to use the Faq-O-Matic, someone else has attempted to log in using your name. Do not access the URL above; it will validate the password that user has supplied. Instead, send mail to %0 and I will look into the matter.)", $FAQ::OMatic::Config::adminEmail );
if (FAQ::OMatic::sendEmail($id, $subj, $mesg)) {
FAQ::OMatic::gripe('error',
gettexta("I couldn't mail the authentication secret to \"%0\" and I'm not sure why.", $id));
}
}
# now tell the user what's going on
my $rt = '';
$rt .= FAQ::OMatic::pageHeader($params);
if ($params->{'_badSecret'}) {
$rt .= gettext("The secret you entered is not correct.")."\n";
$rt .=
gettext("Did you copy and paste the secret or the URL completely?")
."\n<p>\n";
}
else {
$rt .= gettexta("I sent email to you at \"%0\". It should arrive soon, containing a URL.",
$id)
."\n<p>\n";
}
$rt.= gettext("Either open the URL directly, or paste the secret into the form below and click Validate.")
."\n<p>\n"
.gettext("Thank you for taking the time to sign up.")
."\n";
$rt.= FAQ::OMatic::makeAref('submitPass',
{ '_id'=>$id,
'_pass'=>$pass },
'POST', 0, 'blastAll');
#$rt.="<form action=\"submitPass\" method=POST>\n";
$rt.= gettext("Secret:")." \n";
$rt.= "<input type=text name=\"_secret\" value=\"\" size=36>\n";
$rt.= "<p><input type=submit name=\"_submit\" value=\"".gettext("Validate")."\">\n";
$rt.= "</form>\n";
$rt .= FAQ::OMatic::pageFooter($params);
print $rt;
} else {
# this is the user presenting his secret received via email
my $id = $params->{'_id'};
my $secret = $params->{'_secret'};
my ($idf,$passf,$secretf,$saveurl,$cryptwaitpassf,@rest)
= FAQ::OMatic::Auth::readIDfile($id);
if (not defined($idf)
or not ($idf eq $id)
or not ($secret eq $secretf)) {
# if we get the wrong secret, send the user back
# around to the page with the Validate button (the top case
# in this file) to give them another chance to enter the secret.
my $url = FAQ::OMatic::makeAref('submitPass',
{ '_badSecret'=>1, '_id'=>$id }, 'url');
FAQ::OMatic::redirect($cgi, $url);
}
# no secret necessary anymore
FAQ::OMatic::Auth::writeIDfile($idf, $cryptwaitpassf);
# generate a cookie. We know it's you by your secret, but
# we don't have your (uncrypted) password to let you go through the
# normal password check. So we'll just create a cookie right now.
my $newauth = "&auth=".FAQ::OMatic::Auth::newCookie($idf);
FAQ::OMatic::redirect($cgi, $saveurl.$newauth);
}
}
1;
|
