i'm mostly done with a little ksh CGI script that allows users to change
their dovecot passwords after submitting an HTML form, but the issue of
input control has been giving me trouble.
to generate a new password hash the CGI script takes POSTed form data,
splits it into variables named FORM_username, FORM_password,
FORM_newpassword1 and FORM_newpassword2 then performs a couple operations:
newhash=`/usr/local/sbin/dovecotpw -p "$FORM_newpassword1"`
/usr/bin/sed "/$FORM_username/s/{HMAC-MD5}[a-z0-9]*:/$newhash:/g"
/etc/dovecot/virtual.passwd > /etc/dovecot/virtual.passwd
it's obviously a bad idea to use the form variables without putting them
through the ksh read f'n or something similar to catch characters that
should be escaped (`,',",%, etc.). the problem is pushing the variables
through read. a few links show read being used as
print "testing" | read testread
so that "echo $testread" should print "testing" after the read. this
does not work the same on the openbsd ksh CL and leaves testread empty.
however,
read testread < test.txt
works fine if test.txt is non-empty. this is very much circumlocutory
and i would rather not print passwords to a file only to read them back in.
advice on how best to pipe the $FORM_ variables into read is
appreciated. if read is not a safe method to filter for "danger" inputs,
do let me know.
cheers,
jake
