X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=ud-mailgate;h=1f63e683fa6490beb738a2a28be88eb8a35f4828;hb=refs%2Fheads%2Fsalsa;hp=32985d1c2c5f6a78714798e80a58395cd7b2f0c6;hpb=1315e069f61f849e597587489bed21173ef812be;p=mirror%2Fuserdir-ldap.git diff --git a/ud-mailgate b/ud-mailgate index 32985d1..1f63e68 100755 --- a/ud-mailgate +++ b/ud-mailgate @@ -33,6 +33,8 @@ ChPassFrom = ConfModule.chpassfrom ChangeFrom = ConfModule.changefrom ReplayCacheFile = ConfModule.replaycachefile SSHFingerprintFile = ConfModule.fingerprintfile +TOTPTicketDirectory = ConfModule.totpticketdirectory +WebUILocation = ConfModule.webuilocation UUID_FORMAT = '[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}' machine_regex = re.compile("^[0-9a-zA-Z.-]+$") @@ -329,10 +331,11 @@ def DoSSH(Str, Attrs, badkeys, uid): Subst["__ERROR__"] = "SSH key with fingerprint %s known as bad key" % (g[1]) ErrReply = TemplateSubst(Subst, open(TemplatesDir + "admin-info", "r").read()) - Child = os.popen("/usr/sbin/sendmail -t", "w") - Child.write(ErrReplyHead) - Child.write(ErrReply) - if Child.close() is not None: + Child = subprocess.Popen(['/usr/sbin/sendmail', '-t'], stdin=subprocess.PIPE) + Child.stdin.write(ErrReplyHead) + Child.stdin.write(ErrReply) + Child.stdin.close() + if Child.wait() != 0: raise UDExecuteError("Sendmail gave a non-zero return code") except Exception: sys.exit(EX_TEMPFAIL) @@ -369,6 +372,10 @@ def DoDNS(Str, Attrs, DnRecord): aaaarecord is None: return None + # Check for punycode. We ought to validate it before we allow it in our zone. + if Str.lower().startswith('xn--'): + return "Punycode not allowed: " + Str + # Check if the name is already taken G = re.match(r'^([-\w+]+)\s', Str) if G is None: @@ -433,7 +440,7 @@ def DoDNS(Str, Attrs, DnRecord): if p == "": if seenEmptypart: return "Invalid IPv6 address (%s): more than one :: (nothing in between colons) is not allowed" % (ipv6address) - seenEmptypart = True + seenEmptypart = True sanitized = "%s IN AAAA %s" % (hostname, ipv6address) else: raise UDFormatError("None of the types I recognize was it. I shouldn't be here. confused.") @@ -684,7 +691,10 @@ def HandleChPass(Reply, DnRecord, Key): def HandleChTOTPSeed(Reply, DnRecord, Key): # Generate a random seed seed = binascii.hexlify(open("/dev/urandom", "r").read(32)) - msg = GPGEncrypt("Your new TOTP seed is '%s'\n" % (seed,), "0x" + Key[1], Key[4]) + random_id = binascii.hexlify(open("/dev/urandom", "r").read(32)) + totp_file_name = "%d-%s" % (time.time(), random_id,) + + msg = GPGEncrypt("Please go to %s/fetch-totp-seed.cgi?id=%s\n to fetch your TOTP seed" % (WebUILocation, totp_file_name), "0x" + Key[1], Key[4]) if msg is None: raise UDFormatError("Unable to generate the encrypted reply, gpg failed.") @@ -697,6 +707,12 @@ def HandleChTOTPSeed(Reply, DnRecord, Key): Reply += TemplateSubst(Subst, open(TemplatesDir + "totp-seed-changed", "r").read()) lc = connect_to_ldap_and_check_if_locked(DnRecord) + # Save the seed so the user can pick it up. + f = open(os.path.join(TOTPTicketDirectory, totp_file_name), os.O_WRONLY | os.O_CREAT) + print >> f, seed + print >> f, GetAttr(DnRecord, "uid") + f.close() + # Modify the password Rec = [(ldap.MOD_REPLACE, "totpSeed", seed)] Dn = "uid=" + GetAttr(DnRecord, "uid") + "," + BaseDn @@ -843,10 +859,10 @@ try: # Send the message through sendmail ErrMsg = "A problem occured while trying to send the reply" - Child = os.popen("/usr/sbin/sendmail -t", "w") - # Child = os.popen("cat","w") - Child.write(Reply) - if Child.close() is not None: + Child = subprocess.Popen(['/usr/sbin/sendmail', '-t'], stdin=subprocess.PIPE) + Child.stdin.write(Reply) + Child.stdin.close() + if Child.wait() != 0: raise UDExecuteError("Sendmail gave a non-zero return code") except Exception: @@ -872,10 +888,11 @@ except Exception: try: ErrReply = TemplateSubst(Subst, open(TemplatesDir + "error-reply", "r").read()) - Child = os.popen("/usr/sbin/sendmail -t -oi -f ''", "w") - Child.write(ErrReplyHead) - Child.write(ErrReply) - if Child.close() is not None: + Child = subprocess.Popen(['/usr/sbin/sendmail', '-t', '-oi', '-f', ''], stdin=subprocess.PIPE) + Child.stdin.write(ErrReplyHead) + Child.stdin.write(ErrReply) + Child.stdin.close() + if Child.wait() != 0: raise UDExecuteError("Sendmail gave a non-zero return code") except Exception: sys.exit(EX_TEMPFAIL)