Better salt

[mirror/userdir-ldap-cgi.git] / Util.pm

diff --git a/Util.pm b/Util.pm
index e97a9e9..f6be1ed 100644 (file)
--- a/Util.pm
+++ b/Util.pm
@@ -7,7 +7,7 @@ package Util;
 
 use strict;
 use Date::Manip qw(ParseDate);
-use Net::LDAP qw(:all);
+use Net::LDAP qw(LDAP_SUCCESS LDAP_PROTOCOL_ERROR);
 use English;
 
 my $blocksize = 8; # A blowfish block is 8 bytes
@@ -50,6 +50,22 @@ sub CreateCryptSalt {
   return ($md5 ? "\$1\$$out\$" : $out);
 }
 
+sub CreateMD5Salt {
+  my $validstr = './0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';
+  my @valid = split(//,$validstr);
+  my ($in, $out);
+  
+  my $cryptsaltlen = 8;
+  
+  open (F, "</dev/urandom") || die &HTMLError("No /dev/urandom found!");
+  foreach (1..$cryptsaltlen) {
+    read(F, $in, 1);
+    $out .= $valid[ord($in) % ($#valid + 1)];
+  }
+  close F;
+  return $out;
+}
+
 sub Encrypt { 
   # blowfish only encrypts things in blocks of 8 bytes, so we
   # need a custom routine that handles longer strings....
@@ -228,16 +244,21 @@ sub FormatLastSeen {
   my ($d1, $d2, $lastseen);
 
   return "<b>No activity detected</b>" if (!$lastseenpgp && !$lastseenfrom);
+  $lastseen = $lastseenpgp;
   $lastseen = $lastseenfrom if (!$lastseenpgp);
 
   if ($lastseenfrom && $lastseenpgp) {
-    ($d1) = ($lastseenpgp =~ /^\[(.+?)\]/); $d1 = ParseDate($d1);  
+    ($d1) = ($lastseenpgp =~ /^\[(.+?)\]/); $d1 = ParseDate($d1);
     ($d2) = ($lastseenfrom =~ /^\[(.+?)\]/); $d2 = ParseDate($d2);
     $lastseen = (($d1 gt $d2) ? $lastseenpgp : $lastseenfrom);
   }
 
-  my ($date,$user,$list,$msgid) = ($lastseen =~ /^\[(.+?)\]\s+"(.+?)"\s+"(?:<(.+?)>.*?|\-)"\s+"<(.+?)>"/);
+  my ($date,$user,$list,$msgid) = ($lastseen =~ /^\[(.+?)\]\s+"(.+?)"\s+"(?:<(.+?)>.*?|\-)"\s+"(<.+?>)"/);
   $list = "on $list" if ($list);
+  $date = CGI::escapeHTML($date);
+  $user = CGI::escapeHTML($user);
+  $list = CGI::escapeHTML($list);
+  $msgid = CGI::escapeHTML($msgid);
   return "$date $list<br>&nbsp;Message ID: $msgid";
 }
 
@@ -349,12 +370,12 @@ sub UpgradeConnection($) {
   my ($ldap) = @_;
   my $mesg = $ldap->start_tls(
                           verify => 'require',
-                          capath => '/etc/ssl/certs/'
+                          cafile => '/etc/ssl/certs/spi-cacert-2008.pem'
                           );
   $mesg->sync;
   if ($mesg->code != LDAP_SUCCESS) {
     print "Content-type: text/html; charset=utf-8\n\n";
-    print "<html><body><h1>STARTTLS failed: "..$mesg->error."</h1></body></html>\n";
+    print "<html><body><h1>STARTTLS failed: ".$mesg->error."</h1></body></html>\n";
     exit(1);
   };
 };