X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=update.cgi;h=6ddfd9cd6ab9fc396b984145082747b9ceefd992;hb=002e2dc9c412f975aacb3f25b14977a73fe98d2c;hp=716faa936390815e225316722ca1220c5277f7e8;hpb=7e3253a8e182b7f49f222a760af741dbd27f8367;p=mirror%2Fuserdir-ldap-cgi.git diff --git a/update.cgi b/update.cgi index 716faa9..6ddfd9c 100755 --- a/update.cgi +++ b/update.cgi @@ -82,8 +82,9 @@ if (!($query->param('doupdate'))) { # First do the easy stuff - this catches most of the cases foreach (keys(%$entry)) { $data{$_} = $entry->{$_}->[0]; + $data{$_} = CGI::escapeHTML($data{$_}) if defined $data{$_}; } - + $data{gender} = 9 if not $data{gender}; # Now we have to fill in the rest that needs some processing... @@ -92,6 +93,7 @@ if (!($query->param('doupdate'))) { $data{editdn} = $editdn; $data{staddress} = $entry->{postaladdress}->[0]; $data{staddress} =~ s/\$/\n/; + $data{staddress} = CGI::escapeHTML($data{staddress}); $data{countryname} = &Util::LookupCountry($data{c}); if ($data{mailgreylisting} eq "TRUE") { @@ -105,8 +107,10 @@ if (!($query->param('doupdate'))) { } else { $data{mailcallout} = ""; } + + $data{mailcontentinspectionaction} ||= 'reject'; - $data{email} = join(", ", @{$entry->{emailforward}}); + $data{email} = CGI::escapeHTML(join(", ", @{$entry->{emailforward}})); my $genderselect = ''; + my $mailcontentselect = ' (delete)\n"; + + (delete)\n"; $sudopassword .= $e; if ($status eq 'unconfirmed') { - my $data = join(':', 'confirm-new-password', $uuid, $hosts, $crypted); + my $data = join(':', 'confirm-new-password', 'sudo', $data{'uid'}, $uuid, $hosts, $crypted); my $hmac = hmac_sha1_hex( $data, $hmac_key); - $confirmstring .= "confirm sudopassword $uuid $hosts $hmac\n"; + $confirmstring .= CGI::escapeHTML("confirm sudopassword $uuid $hosts $hmac\n"); } }; if ($confirmstring ne '') { @@ -158,6 +181,7 @@ if (!($query->param('doupdate'))) { while () { s/~(.+?)~/$data{$1}/g; s/<\?genderselect>/$genderselect/; + s/<\?mailcontentselect>/$mailcontentselect/; s/<\?sudopassword>/$sudopassword/; s/<\?sudopasswordhosts>/$sudopasswordhosts/; s/<\?confirmstring>/$confirmstring/; @@ -176,7 +200,10 @@ if (!($query->param('doupdate'))) { # Actually update stuff... my ($newpassword, $newstaddress); - &Util::FixParams($query); + # Good god, why would we want to do that here? it breaks password setting + # etc, and it doesn't prevent people from setting eveil stuff in ldap + # directly. + # &Util::FixParams($query); if (($query->param('labeleduri')) && ($query->param('labeleduri') !~ /^https?:\/\//i)) { @@ -236,7 +263,7 @@ if (!($query->param('doupdate'))) { my ($lat, $long); ($lat, $long) = &Util::CheckLatLong($query->param('latitude'), $query->param('longitude')); - my ($greylisting, $callout); + my ($greylisting, $callout, $mailcontentinspection); $greylisting = $query->param('mailgreylisting'); if (!$greylisting or $greylisting ne "TRUE") { @@ -248,6 +275,11 @@ if (!($query->param('doupdate'))) { $callout = "FALSE"; } + $mailcontentinspection = $query->param('mailcontentinspection'); + if (!$mailcontentinspection or ($mailcontentinspection ne "blackhole" and $mailcontentinspection ne "markup")) { + $mailcontentinspection = "reject"; + } + my $newsudo; my $newsudo_hosts; if ($query->param('newsudopass') && $query->param('newsudopassvrfy')) { @@ -312,6 +344,7 @@ if (!($query->param('doupdate'))) { &Util::LDAPUpdate($ldap, $editdn, 'birthDate', $query->param('birthdate')) if $bd_ok; &Util::LDAPUpdate($ldap, $editdn, 'mailDisableMessage', $query->param('maildisablemessage')); &Util::LDAPUpdate($ldap, $editdn, 'mailCallout', $callout); + &Util::LDAPUpdate($ldap, $editdn, 'mailContentInspectionAction', $mailcontentinspection); &Util::LDAPUpdate($ldap, $editdn, 'mailGreylisting', $greylisting); &Util::LDAPUpdate($ldap, $editdn, 'sudoPassword', \@keepsudo);