X-Git-Url: https://git.treefish.org/fex.git/blobdiff_plain/7fa382617fbaccc0ce522b2b3adbbee9db5ad227..20150826:/cgi-bin/fuc?ds=inline diff --git a/cgi-bin/fuc b/cgi-bin/fuc index 864a3de..661c897 100755 --- a/cgi-bin/fuc +++ b/cgi-bin/fuc @@ -1,19 +1,16 @@ #!/usr/bin/perl -wT -# FEX CGI for user control +# FEX CGI for user control # (subuser, groups, address book, one time upload key, auth-ID, etc) # # Author: Ulli Horlacher # -use CGI qw(:standard); -use CGI::Carp qw(fatalsToBrowser); +BEGIN { ($ENV{PERLINIT}||'') =~ /(.+)/s and eval $1 } + use Fcntl qw(:flock); use Digest::MD5 qw(md5_hex); -$CGI::LIST_CONTEXT_WARN = 0; -$CGI::LIST_CONTEXT_WARN = 0; - # add fex lib ($FEXLIB) = $ENV{FEXLIB} =~ /(.+)/; die "$0: no $FEXLIB\n" unless -d $FEXLIB; @@ -49,10 +46,12 @@ if ($qs) { if ($qs =~ /ab=load/) { $ab = 'load' } } -# look for CGI POST parameters -foreach my $v (param) { - my $vv = param($v); - debuglog("Param: $v=\"$vv\""); +# look for CGI parameters +our %PARAM; +&parse_parameters; +foreach my $v (keys %PARAM) { + my $vv = $PARAM{$v}; + # debuglog("Param: $v=\"$vv\""); if ($v =~ /^akey$/i) { $akey = $1 if $vv =~ /^(\w+)$/; next; @@ -65,7 +64,7 @@ foreach my $v (param) { $v =~ /^notification$/i ? $notification = checkchars('parameter',$vv): $v =~ /^disclaimer$/i ? $disclaimer = $vv: $v =~ /^encryption$/i ? $encryption = checkchars('parameter',$vv): - $v =~ /^pubkey$/i ? $pubkey = $vv: + $v =~ /^pubkey$/i ? $pubkey = $PARAM{$v}{data}: $v =~ /^reminder$/i ? $reminder = checkchars('parameter',$vv): $v =~ /^mime$/i ? $mime = checkchars('parameter',$vv): $v =~ /^comment$/i ? $comment = decode_utf8(normalize($vv)): @@ -79,7 +78,10 @@ foreach my $v (param) { $ESAC; } -$group = lc $group if $group and $group ne 'NEW'; +if ($group and $group ne 'NEW') { + $group = lc $group; + $group =~ s/[^\w\*%^+=:,.!-]/_/g; +} $group = '' if $nomail; $user .= '@'.$mdomain if $mdomain and $user !~ /@/; @@ -89,11 +91,11 @@ if ($akey) { # sid is not set with web browser my $idf = "$akeydir/$akey/@"; - + if (open $akey,'<',$idf and $id = getline($akey)) { close $akey; $idf =~ /(.*)\/\@/; - $user = readlink $1 + $user = readlink $1 or http_die("internal server error: no $akey symlink $1"); $user =~ s:.*/::; $user = untaint($user); @@ -121,7 +123,7 @@ if ($user and $akey and $qs and $qs =~ /info=(.+?)&skey=(.+)/) { if ($user and $id) { - if (-e "$user/\@CAPTIVE") { html_error($error,"captive user") } + if (-e "$user/\@CAPTIVE") { html_error($error,"captive user") } unless (open $idf,'<',"$user/@") { faillog("user $from, id $id"); html_error($error,"wrong user or auth-ID"); @@ -151,9 +153,9 @@ if ($user and $id) { } # empty POST? ==> back to foc -if ($ENV{REQUEST_METHOD} eq 'POST' and not +if ($ENV{REQUEST_METHOD} eq 'POST' and not ($subuser or $notify or $nid or $ssid or $group or $ab or $gm or $tools - or $disclaimer or $encryption or $pubkey)) + or $disclaimer or $encryption or $pubkey)) { nvt_print( "HTTP/1.1 302 Found", @@ -222,7 +224,7 @@ if ($subuser and $otuser) { my $okey = randstring(8); my $okeyd = "$user/\@OKEY"; mkdir $okeyd; - symlink $otuser,"$okeyd/$okey" + symlink $otuser,"$okeyd/$okey" or http_die("cannot create OKEY $okeyd/$okey : $!\n"); my $url = "$fup?to=$user&okey=$okey"; pq(qq( @@ -353,10 +355,11 @@ if ($user and $akey and defined $ab) { 'back to F*EX operation control' '' )); + exit; } else { $ab =~ s/[\r<>]//g; $ab =~ s/\s*$/\n/; - + foreach (split(/\n/,$ab)) { s/^\s+//; s/\s+$//; @@ -376,7 +379,7 @@ if ($user and $akey and defined $ab) { push @badalias,$_; } } - + if (@badalias) { print "

ERROR: bad aliases:

\n