X-Git-Url: https://git.treefish.org/fex.git/blobdiff_plain/7fa382617fbaccc0ce522b2b3adbbee9db5ad227..20160919:/cgi-bin/fuc?ds=inline diff --git a/cgi-bin/fuc b/cgi-bin/fuc index 864a3de..897fd69 100755 --- a/cgi-bin/fuc +++ b/cgi-bin/fuc @@ -1,19 +1,17 @@ #!/usr/bin/perl -wT -# FEX CGI for user control +# FEX CGI for user control # (subuser, groups, address book, one time upload key, auth-ID, etc) # # Author: Ulli Horlacher # -use CGI qw(:standard); -use CGI::Carp qw(fatalsToBrowser); +BEGIN { ($ENV{PERLINIT}||'') =~ /(.+)/s and eval $1 } + +use utf8; use Fcntl qw(:flock); use Digest::MD5 qw(md5_hex); -$CGI::LIST_CONTEXT_WARN = 0; -$CGI::LIST_CONTEXT_WARN = 0; - # add fex lib ($FEXLIB) = $ENV{FEXLIB} =~ /(.+)/; die "$0: no $FEXLIB\n" unless -d $FEXLIB; @@ -49,10 +47,12 @@ if ($qs) { if ($qs =~ /ab=load/) { $ab = 'load' } } -# look for CGI POST parameters -foreach my $v (param) { - my $vv = param($v); - debuglog("Param: $v=\"$vv\""); +# look for CGI parameters +our %PARAM; +&parse_parameters; +foreach my $v (keys %PARAM) { + my $vv = $PARAM{$v}; + # debuglog("Param: $v=\"$vv\""); if ($v =~ /^akey$/i) { $akey = $1 if $vv =~ /^(\w+)$/; next; @@ -65,7 +65,7 @@ foreach my $v (param) { $v =~ /^notification$/i ? $notification = checkchars('parameter',$vv): $v =~ /^disclaimer$/i ? $disclaimer = $vv: $v =~ /^encryption$/i ? $encryption = checkchars('parameter',$vv): - $v =~ /^pubkey$/i ? $pubkey = $vv: + $v =~ /^pubkey$/i ? $pubkey = $PARAM{$v}{data}: $v =~ /^reminder$/i ? $reminder = checkchars('parameter',$vv): $v =~ /^mime$/i ? $mime = checkchars('parameter',$vv): $v =~ /^comment$/i ? $comment = decode_utf8(normalize($vv)): @@ -75,25 +75,52 @@ foreach my $v (param) { $v =~ /^group$/i ? $group = checkchars('group',$vv): $v =~ /^ab$/i ? $ab = $vv: $v =~ /^gm$/i ? $gm = $vv: - $v =~ /^show$/i ? $tools = checkchars('parameter',$vv): + $v =~ /^show$/i ? $show = checkchars('parameter',$vv): $ESAC; } -$group = lc $group if $group and $group ne 'NEW'; +if ($group and $group ne 'NEW') { + $group = lc $group; + $group =~ s/[^\w\*%^+=:,.!-]/_/g; +} $group = '' if $nomail; $user .= '@'.$mdomain if $mdomain and $user !~ /@/; $nomail = $comment if $comment =~ /NOMAIL|!#!/; +if ($show and $show eq 'tools') { + nvt_print( + "HTTP/1.1 302 Found", + "Location: /tools.html", + 'Expires: 0', + 'Content-Length: 0', + '' + ); + &reexec; + + if (open $tools,"$docdir/tools.html") { + while (<$tools>) { + while (/\$([\w_]+)\$/) { + my $var = $1; + my $env = $ENV{$var} || ''; + s/\$$var\$/$env/g; + }; + print; + } + } + exit; +} + + if ($akey) { # sid is not set with web browser my $idf = "$akeydir/$akey/@"; - + if (open $akey,'<',$idf and $id = getline($akey)) { close $akey; $idf =~ /(.*)\/\@/; - $user = readlink $1 + $user = readlink $1 or http_die("internal server error: no $akey symlink $1"); $user =~ s:.*/::; $user = untaint($user); @@ -108,7 +135,7 @@ if ($akey) { if ($user and $akey and $qs and $qs =~ /info=(.+?)&skey=(.+)/) { $subuser = $1; $skey = $2; - notify_subuser($user,$subuser,"$fup?skey=$skey",$comment); + notify_subuser($user,$subuser,"$fup?skey=$skey#$user",$comment); http_header("200 OK"); print html_header($head); pq(qq( @@ -121,7 +148,7 @@ if ($user and $akey and $qs and $qs =~ /info=(.+?)&skey=(.+)/) { if ($user and $id) { - if (-e "$user/\@CAPTIVE") { html_error($error,"captive user") } + if (-e "$user/\@CAPTIVE") { html_error($error,"captive user") } unless (open $idf,'<',"$user/@") { faillog("user $from, id $id"); html_error($error,"wrong user or auth-ID"); @@ -151,9 +178,9 @@ if ($user and $id) { } # empty POST? ==> back to foc -if ($ENV{REQUEST_METHOD} eq 'POST' and not - ($subuser or $notify or $nid or $ssid or $group or $ab or $gm or $tools - or $disclaimer or $encryption or $pubkey)) +if ($ENV{REQUEST_METHOD} eq 'POST' and not + ($subuser or $notify or $nid or $ssid or $group or $ab or $gm + or $disclaimer or $encryption or $pubkey)) { nvt_print( "HTTP/1.1 302 Found", @@ -179,31 +206,6 @@ if ($gm and not $group) { exit; } -if ($tools) { - pq(qq( - 'To use one of the following F*EX clients you must configure them after' - 'download:' - '

' - '' - ' ' - ' ' - ' ' - ' ' - '
F*EX server:$ENV{PROTO}://$ENV{HTTP_HOST}
Proxy:(your web proxy address, may be empty)
User:$user
Auth-ID:$id
' - )); - if (open $tools,"$docdir/tools.html") { - while (<$tools>) { - while (/\$([\w_]+)\$/) { - my $var = $1; - my $env = $ENV{$var} || ''; - s/\$$var\$/$env/g; - }; - print; - } - } - exit; -} - if ($group) { &handle_group; } @@ -222,7 +224,7 @@ if ($subuser and $otuser) { my $okey = randstring(8); my $okeyd = "$user/\@OKEY"; mkdir $okeyd; - symlink $otuser,"$okeyd/$okey" + symlink $otuser,"$okeyd/$okey" or http_die("cannot create OKEY $okeyd/$okey : $!\n"); my $url = "$fup?to=$user&okey=$okey"; pq(qq( @@ -353,10 +355,11 @@ if ($user and $akey and defined $ab) { 'back to F*EX operation control' '' )); + exit; } else { $ab =~ s/[\r<>]//g; $ab =~ s/\s*$/\n/; - + foreach (split(/\n/,$ab)) { s/^\s+//; s/\s+$//; @@ -376,7 +379,7 @@ if ($user and $akey and defined $ab) { push @badalias,$_; } } - + if (@badalias) { print "

ERROR: bad aliases:

\n