From 00a6b3538e567017f85d7e92174d15e248133bf0 Mon Sep 17 00:00:00 2001
From: Peter Palfrader <peter@palfrader.org>
Date: Tue, 16 Sep 2008 22:11:07 +0200
Subject: [PATCH] Verify confirmed hmac in web display, showing status as
 either 'confirmed' (which now means also verified, i.e. it will make it to
 the host), or 'invalid'.

---
 debian/changelog |  8 ++++++++
 update.cgi       | 10 +++++++++-
 2 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/debian/changelog b/debian/changelog
index 0926b9c..955d81e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+userdir-ldap-cgi (0.3.22) unstable; urgency=low
+
+  * Verify confirmed hmac in web display, showing status as either 'confirmed'
+    (which now means also verified, i.e. it will make it to the host), or
+    'invalid'.
+
+ -- Peter Palfrader <weasel@debian.org>  Tue, 16 Sep 2008 22:10:27 +0200
+
 userdir-ldap-cgi (0.3.21) unstable; urgency=low
 
   * Slightly change find call in cronjob.
diff --git a/update.cgi b/update.cgi
index 8e74b3e..f78a7eb 100755
--- a/update.cgi
+++ b/update.cgi
@@ -127,7 +127,15 @@ if (!($query->param('doupdate'))) {
       $sudopassword .= "<tr><td>Unparseable line!</td></tr>\n";
       next;
     }
-    $status =~ s/:.*//; # remove verification hmac, it's just noise here.
+    if ($status =~ /^confirmed:/) {
+      my $data = join(':', 'password-is-confirmed', $uuid, $hosts, $crypted);
+      my $hmac = hmac_sha1_hex( $data, $hmac_key);
+      if ($status eq "confirmed:$hmac") {
+        $status = 'confirmed';
+      } else {
+        $status = 'INVALID';
+      }
+    }
     my $e = "<tr><td>".CGI::escapeHTML($hosts)."</td>
                  <td>".CGI::escapeHTML($status)."</td>
                  <td><small>not shown</small></td>
-- 
2.20.1