Hi, becouse unhappy of Orso's Changepassword for Squid, Apache and so on I
costructed a change password CGI from myself.
I created a simple HTML page with a post to the CGI
I use ProcCGIInput.sh to read POST input and the variables arrive ESCAPED
coded if some special char is inside.
ProcCGIInput.sh is from:
# Process input to a CGI script. Written and Copyright 1995 Frank Pilhofer
# You may freely use and distribute this code free of charge provided that
# this copyright notice remains. [EMAIL PROTECTED]
and I use it from time in many CGI done by me.
Now with BASH v2 I had serious problems if after a special char even ] or
) was numbers. The string is truncated or modified fucking off the change
password checks and fuctionality.
I taken BASH 3 and compiled with NO OPTIONS IN configure and now 90%
of problems disappeared with no changing in the CGI code.
I had some problems with ] and so to printf I added %b
To eliminate escape sequences from ProcCGIInput.sh I use:
USER=`printf "$FORM_user"`
OLDP=`printf %b "$FORM_oldpw"`
NEWP1=`printf "$FORM_newpw1"`
NEWP2=`printf "$FORM_newpw2"`
Now, I had to remove ! as other chars becouse even with
all the good things that I had with %b and BASH v3 it create troubles!.
If inside the password is !1 or !2 and so on, the string is truncated at
the esclamation mark.
I use a simple WHILE to check chars to enforce policies
while [ $CONTA -lt $LUNG ]; do
ITEM=${PASS:$CONTA:1}
if [[ $ITEM == *[a-zA-Z] ]]; then
let CARAC=CARAC+1
OK=1
fi
if [[ $ITEM == *[0-9]* ]]; then
let NUMBER=NUMBER+1
OK=1
fi
if [ `echo $POSSIBLESC | fgrep "$ITEM"` != "" ]; then
let SPECI=SPECI+1
OK=1
fi
if [ "$OK" = "0" ]; then
BADP=1
fi
# printf ":::>$ITEM:$CONTA:$NEWP1:$FORM_new_pw1:$LUNG"
let CONTA=CONTA+1
OK=0
done
But becouse the string arrive modified obviously the user return a BAD
OLD PASSWORD or New PassWord not correct for policy rule xxxxxx
POSSIBLESC is the var where I putted all the special chars the user could
chose to create its new password.
For sure I'm an intermediate or beginner but I have this kind of problem
and I have seen that with BASH 3 90% of things has been solved.
Have I touse some code inside my script or is a problem of BASH?. How
could I treath a variable ONLY AS A CONTAINER not interpreted or modified
in any way from any kind of feature of BASH or from the system?.
Thanks about sugestions,
Best Regards,
Alberto Colosi
IBM Global Services
IBM Business Consulting Services
Sistemi Informativi S.P.A.
IT/ITS Division
IBM VTS Focal Point per SI
NetWork Control/Operations Center
(NetWork and Security [*Master] office)
SECURITY IS EVERYONE'S BUSINESS
_______________________________________________
Bug-bash mailing list
Bug-bash@gnu.org
http://lists.gnu.org/mailman/listinfo/bug-bash
