$sudopassword .= "<tr><td>Unparseable line!</td></tr>\n";
next;
}
- $status =~ s/:.*//; # remove verification hmac, it's just noise here.
+ if ($status =~ /^confirmed:/) {
+ my $data = join(':', 'password-is-confirmed', 'sudo', $data{'uid'}, $uuid, $hosts, $crypted);
+ my $hmac = hmac_sha1_hex( $data, $hmac_key);
+ if ($status eq "confirmed:$hmac") {
+ $status = 'confirmed';
+ } else {
+ $status = 'INVALID';
+ }
+ }
my $e = "<tr><td>".CGI::escapeHTML($hosts)."</td>
<td>".CGI::escapeHTML($status)."</td>
<td><small>not shown</small></td>
<td><input name=\"sudopassword-delete-".CGI::escapeHTML($uuid)."\" type=\"checkbox\" value=\"delete\"> (delete)</td></tr>\n";
$sudopassword .= $e;
if ($status eq 'unconfirmed') {
- my $data = join(':', 'confirm-new-password', $uuid, $hosts, $crypted);
+ my $data = join(':', 'confirm-new-password', 'sudo', $data{'uid'}, $uuid, $hosts, $crypted);
my $hmac = hmac_sha1_hex( $data, $hmac_key);
$confirmstring .= CGI::escapeHTML("confirm sudopassword $uuid $hosts $hmac\n");
}