vauthenticate and POPPass for PHP

[Matt]

Hi,

I downloaded the POPPass package and am in the process of recoding the script for PHP (I'll share the PHP version when it's finished). Right now I'm at the stage of passing the mail commands to the server via exec(). I'm not getting any results back and logged in at the command line to try out the 'vauthenticate' command. I've tried several variants of the command and get no response each time. I'm guessing the PHP code is simply timing out on the call.

Are there specific arguments that I should be sending along with the command and mailbox name? I've tried the following w/o success:

• vauthenticate test
• vauthenticate TEST
• vauthenticate 'TEST'
• vauthenticate 'test'

Although 'test' is not an existing mailbox user, I tried passing valid users as well with the same results. I'm not familiar w/ Python, so there may be some string that's getting passed that I'm missing. Any advice (Sheila ).

Thanks,
Matt

[sheila]

I suspect this is a permissions problem.

PHP does not run under your userID for your account. At least not yet. Once the Secure_Mode is in place on the FutureQuest servers it will.

However, the vauthenticate command is only available to the account holder (account userID).

I would imagine that this is the reason you are unable to get it to work in PHP at this time.

[Matt]

Sheila,
I'm testing vauthenticate using two methods:
1. PHP CGI-- should bypass the secure_mode issues.
2. Command line-- I'm actually SSH'ing into my account and running vauthenticate from command line

Neither of these seem to work. I also tried to RTFM, but couldn't find anything for vauthenticate.

[sheila]

OK, I really should learn to ask people if they are using PHP as cgi or apache module, instead of assuming.
I agree that as cgi PHP should not have permission issues.

Here is proper command line usage, for a correct username/password pair:

$ vauthenticate username

After you enter this, it will appear to "hang" as the command is awaiting the password to be entered as an input stream.

enter the password and hit "enter". You should get output that looks something like this:

UID=12345
GID=12345
USER=xdomain
HOME=/big/dom/xdomain
MAILDIR=./vmspool/username
VUSER=username

I just tested this again myself, to make sure.

If this doesn't work for you, then I would wonder what server are you on and what account this is. If you do not want to say publicly, please send the information to the Service Desk.

[Matt]

Thanks, I didn't know what to type at the "hang" stage. All appears functional now that I know what to type
-Matt

[Matt]

Okay, I'm happy to announce that I've recoded the poppass.py script to run as a PHP CGI script. My personal interest is to be able to modify this script to include additional functionality. Since I'm not a Python coder, recoding the script is easier than trying to pick up another programming language. The final leg of the project is verifying that no invalid characters are present in the username or password. Since my regular expressions coding ability is not very advanced, I'm throwing this out to anyone who might be able to help.

I'd like to check two strings, $username and $password, to make sure that neither includes control characters (ASCII 0 - 31, 127). Additionally, $username cannot contain any of the following characters:
[ !"#$%(),:;<>@[]|&`]

And $password cannot contain any of the following characters:
[`|()]

PHP code should be posted within a day or two
Thanks, Matt

[kitchin]

They say it is better to assert what characters you want, not the ones you don't.

Anyway, this is what you describe:
$u= preg_replace('/[\x00-\x1F\x7F!"#$%(),:;<>@\[\]|&`]/', '', $u);
$p= preg_replace('/[\x00-\x1F\x7F`|()]/', '', $p);

Within [character classes] you don't have to escape much, just
'/[]^-\
note: escaping ^ optional after 1st char
note: double-escape \, using \\\
You may safely escape just about anything except letters and numbers.

To use inclusion intead of exclusion, it would be something like
$u= preg_replace('/[^\w\\'\/^\-\\\ .?*+={}~\x80-\xFF]/', '', $u);

I had to double-escape that \\' to get it through the forum software, so fully test anything you copy-and-paste from this post!

Here's a test string to try it with:
$u= '\!"#$%(),:;<>@[]|&`?*+=^-/' . "'\xA5test\x09bug\nvie\x08w";

[Matt]

Thanks for the response Kitchin, here's the output from test:

Code:

\?*+=^-/'¥testbugviewaaaa1bbbbaaaa1bbbb

Try using the CODE tags to post the regular expressions.

In the meantime, here is v0.9 of poppass.php. It's designed as a drop-in replacement for poppass.py. The only modification necessary is that the form on popform.html post to poppass.php. I'll post v1.0 as soon as I make the necessary changes to regular expressions (other minor suggestions welcome):

PHP Code:

#!/usr/local/bin/php
<?php
/*
###########################################################
#
# COPYRIGHT NOTICE. 
# Copyright © 2003 Webspace Enterprises, Inc.
#
# PO BOX 661284 Birmingham AL 35266-1284 U.S.A. All rights reserved.
# http://www.WebspaceEnterprises.com
#
# Open Source Software from Webspace Enterprises, Inc.
# [email]support@webspacecreations.com[/email]
# 
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public License
# as published by the Free Software Foundation; either version 2.1
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# http://www.gnu.org/copyleft/lesser.txt
#
# You can view the GNU General Public License at the link above,
# or you can receive a copy of the GNU Lesser General Public License
# by writing to the Free Software Foundation, Inc.,
# 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
#
##########################################################
*/

  // ----------------------------------------------------------
  // Read in variables passed from web form
  // ----------------------------------------------------------
  global $accountname, $oldpass, $newpass, $newpass2, $base_url, $html_path;
  $accountname = $_POST["accountname"];
  $oldpass = $_POST["oldpass"];
  $newpass = $_POST["newpass"];
  $newpass2 = $_POST["newpass2"];
  $base_url = $_POST["base_url"];
  $html_path = $_POST["html_path"];

  // ----------------------------------------------------------  
  // Functions responsible for redirecting to approprate result page
  // ----------------------------------------------------------
  function displayResultPage($result_url)
  {
    header("Location: " . $result_url);
    exit();
  }

  function errorDisplay($custom_err_file)
  {
    global $base_url, $html_path;
    $error_page = $base_url . '/error.html';
    if (isset($custom_err_file))
    {
      if (file_exists($html_path . '/' . $custom_err_file))
      {
        $error_page = $base_url . '/' . $custom_err_file;
      }
    }
    displayResultPage($error_page);
  }

  // ----------------------------------------------------------  
  // Functions responsible for checking password validity
  // ----------------------------------------------------------
  function isAlphaNumeric($input)
  {
    if (preg_match("/[^a-z,A-Z]/", $input) && preg_match("/[^0-9]/", $input))
      return 1;
    else
      return 0;
  }

  function isUsernameValid($input)
  {
    // Control characters and  !"#$%(),:;<>@[]|&` not allowed in username
    if ($input == preg_replace('/[^\w\'\/^\-\\\ .?*+={}~\x80-\xFF]/', '', $input))
    {
      return 1;
    }
    else
    {
      return 0;
    }
  }
  
  function isPasswordValid($input)
  {
    // Control characters and `|() not allowed in password
    if ($input == preg_replace('/[\x00-\x1F\x7F`|()]/', '', $input))
    {      
      return 1;
    }
    else
    {
      return 0;
    }
  }
  
  // ----------------------------------------------------------  
  // Start by verifying that all form variables sent
  // ----------------------------------------------------------
  if (!(($accountname>'') && ($oldpass>'') && ($newpass>'') && ($newpass2>'') && ($base_url>'') && ($html_path>'')))
  {
     errorDisplay("empty_fields.html");
  }
  
  // Verify that the two values for the new password match
  if ($newpass != $newpass2)
  {
    errorDisplay("no_match.html");
  }

  // ----------------------------------------------------------  
  // Now verify that username and password meet necessary criteria
  // ----------------------------------------------------------
  
  // Verify password is valid length
  if (strlen($newpass)<8 || strlen($newpass)>20)
  {
    errorDisplay("pwd_length_error.html");
  }

  // New passwords cannot have leading or trailing spaces
  if ($newpass != trim($newpass))
  {
    errorDisplay("invalid_pwd_character.html");
  }

  // If password is 8 characters, cannot contain spaces
  if ((strlen($newpass)==8) && (strstr($newpass," ")))
  {
    errorDisplay("invalid_pwd_character.html");
  }

  // Password cannot contain two or more consecutive spaces
  if (strstr($newpass,"  "))
  {
    errorDisplay("invalid_pwd_character.html");
  }

  // Check that the new password contains both letters and digits
  if (!isAlphaNumeric($newpass))
  {
    errorDisplay("invalid_pwd_character.html");
  }
  
  if (!isUsernameValid($accountname))
  {
    errorDisplay("invalid_username.html");
  }

  if (!isPasswordValid($oldpass))
  {
    errorDisplay("invalid_pwd_character.html");
  }
  
  if (!isPasswordValid($newpass))
  {
    errorDisplay("invalid_pwd_character.html");
  }

  // ----------------------------------------------------------  
  // Now verify that username and old password authenticate
  // ----------------------------------------------------------
  $command = "vauthenticate '$accountname'";

  $descriptorspec = array(
   0 => array("pipe", "r"),  // stdin is a pipe that the child will read from
   1 => array("pipe", "w"),  // stdout is a pipe that the child will write to
   2 => array("file", "/tmp/error-output.txt", "a") // stderr is a file to write to
  );
  $process = proc_open($command, $descriptorspec, $pipes);
  if (is_resource($process))
  {
    // $pipes now looks like this:
    // 0 => writeable handle connected to child stdin
    // 1 => readable handle connected to child stdout
    // Any error output will be appended to /tmp/error-output.txt

    fwrite($pipes[0], $oldpass . "\n");
    fclose($pipes[0]);
    fclose($pipes[1]);
    // It is important that you close any pipes before calling
    // proc_close in order to avoid a deadlock
    $return_value = proc_close($process);

    if ($return_value)
    {
      errorDisplay("failed_authenticate.html");
    }
  }

  // ----------------------------------------------------------  
  // Username/ old password authenticated; change to new password
  // ----------------------------------------------------------
  $command = "vpasswd '$accountname'";
  $process = proc_open($command, $descriptorspec, $pipes);
  if (is_resource($process))
  {
    fwrite($pipes[0], $newpass . "\n");
    fclose($pipes[0]);
    fclose($pipes[1]);
    // It is important that you close any pipes before calling
    // proc_close in order to avoid a deadlock
    $return_value = proc_close($process);

    if (!$return_value)
    {
      $success_url = $base_url . "/success.html";
      displayResultPage($success_url);
    }
    else
    {
      errorDisplay();
    }
  }

  // ----------------------------------------------------------  
  // End of Script
  // ----------------------------------------------------------
?>

[kitchin]

Now it's your \ characters that aren't showing up! Also, some regexs need fixing.

Quote:

Code:

\*+=^-/'¥testbugviewaaaa1bbbbaaaa1bbbb

For me,

PHP Code:

<?php
 $u= '\!"#$%(),:;<>@[]|&`?*+=^-/' . "'\xA5test\x09bug\nvie\x08w";
 $u= preg_replace('/[\\x00-\\x1F\\x7F!"#$%(),:;<>@\\[\\]|&`]/', '', $u);
 print $u;
?>
Results in:
\\?*+=^-/\'¥testbugview
(char \\ inserted before char \\ and char \' for forum post)

Quote:

PHP Code:

<?php
  function isAlphaNumeric($input)
  {
    if (preg_match("/[^a-z,A-Z]/", $input) && preg_match("/[^0-9]/", $input))
 ?>

That means "contains any char not a letter or comma" and "contains any char not a number."

PHP Code:

<?php
  // It should be
  function isAlphaNumeric($input)
  {
    if (preg_match('/[a-zA-Z]/', $input) && preg_match('/[0-9]/', $input))
  // Name of the function might confuse other programmers.
  // Perhaps "isAlpha_and_Numeric"
?>

Quote:

PHP Code:

<?php
    if ($input == preg_replace('/[^\w\'\/^\-\\\ .?*+={}~\x80-\xFF]/', '', $input))
 ?>

The forum removed the \ chars. Also, you might end up testing numeric identity. I think this would be better:

PHP Code:

<?php
    if (preg_match('/[^\\w\\'/^- .?*+={}~x80-xFF]/, $input))
?>

Quote:

PHP Code:

<?php
     if ($input == preg_replace('/[\x00-\x1F\x7F`|()]/', '', $input))
 ?>

Likewise,

PHP Code:

<?php
    if (preg_match('/[\\x00-\\x1F\\x7F`|()]/', $input))
?>

Quote:

PHP Code:

<?php
    if ($input == preg_replace('/[x00-x1Fx7F<img src="images/smilies/headfire.gif" border="0" alt="">()]/', '', $input))
 ?>

Oh, I see, it is a forum smiley!

PHP Code:

<?php
 if (preg_match('/[\\x00-\\x1F\\x7F`|()]/', '', $input))
?>

[Matt]

Kitchin, thanks for the response. I had to do a boolean NOT for the preg_match you offered for password validation to get it to work. For username validation, I couldn't get your regex to work, so I substituted one that's worked for me in the past. Here's the code... others are welcome to modify it for their own purposes. If deemed useful, I welcome FQ to distribute it as a PHP version of the POPPass package. -Matt

PHP Code:

#!/usr/local/bin/php
<?php
/*
###########################################################
#
# COPYRIGHT NOTICE. 
# Copyright © 2003 Webspace Enterprises, Inc.
#
# PO BOX 661284 Birmingham AL 35266-1284 U.S.A. All rights reserved.
# http://www.WebspaceEnterprises.com
#
# Open Source Software from Webspace Enterprises, Inc.
# support@webspacecreations.com
# 
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public License
# as published by the Free Software Foundation; either version 2.1
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# http://www.gnu.org/copyleft/lesser.txt
#
# You can view the GNU General Public License at the link above,
# or you can receive a copy of the GNU Lesser General Public License
# by writing to the Free Software Foundation, Inc.,
# 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
#
##########################################################
*/

  // ----------------------------------------------------------
  // Read in variables passed from web form
  // ----------------------------------------------------------
  global $accountname, $oldpass, $newpass, $newpass2, $base_url, $html_path;
  $accountname = $_POST["accountname"];
  $oldpass = $_POST["oldpass"];
  $newpass = $_POST["newpass"];
  $newpass2 = $_POST["newpass2"];
  $base_url = $_POST["base_url"];
  $html_path = $_POST["html_path"];

  // ----------------------------------------------------------  
  // Functions responsible for redirecting to approprate result page
  // ----------------------------------------------------------
  function displayResultPage($result_url)
  {
    header("Location: " . $result_url);
    exit();
  }

  function errorDisplay($custom_err_file)
  {
    global $base_url, $html_path;
    $error_page = $base_url . '/error.html';
    if (isset($custom_err_file))
    {
      if (file_exists($html_path . '/' . $custom_err_file))
      {
        $error_page = $base_url . '/' . $custom_err_file;
      }
    }
    displayResultPage($error_page);
  }

  // ----------------------------------------------------------  
  // Functions responsible for checking password validity
  // ----------------------------------------------------------
  function isAlphaAndNumeric($input)
  {
    if (preg_match('/[a-zA-Z]/', $input) && preg_match('/[0-9]/', $input))
      return 1;
    else
      return 0;
  }

  function isUsernameValid($input)
  {
    // Control characters and  !"#$%(),:;<>@[]|&` not allowed in username
    if (eregi ("^([a-z0-9_]|\\-|\\.)+$", $input))
    {
      return 1;
    }
    else
    {
      return 0;
    }
  }
  
  function isPasswordValid($input)
  {
    // Control characters and `|() not allowed in password
    if (!preg_match('/[\x00-\x1F\x7F`|()]/', '', $input))
    {      
      return 1;
    }
    else
    {
      return 0;
    }
  }
  
  // ----------------------------------------------------------  
  // Start by verifying that all form variables sent
  // ----------------------------------------------------------
  if (!(($accountname>'') && ($oldpass>'') && ($newpass>'') && ($newpass2>'') && ($base_url>'') && ($html_path>'')))
  {
     errorDisplay("empty_fields.html");
  }
  
  // Verify that the two values for the new password match
  if ($newpass != $newpass2)
  {
    errorDisplay("no_match.html");
  }

  // ----------------------------------------------------------  
  // Now verify that username and password meet necessary criteria
  // ----------------------------------------------------------
  
  // Verify password is valid length
  if (strlen($newpass)<8 || strlen($newpass)>20)
  {
    errorDisplay("pwd_length_error.html");
  }

  // New passwords cannot have leading or trailing spaces
  if ($newpass != trim($newpass))
  {
    errorDisplay("invalid_pwd_character.html");
  }

  // If password is 8 characters, cannot contain spaces
  if ((strlen($newpass)==8) && (strstr($newpass," ")))
  {
    errorDisplay("invalid_pwd_character.html");
  }

  // Password cannot contain two or more consecutive spaces
  if (strstr($newpass,"  "))
  {
    errorDisplay("invalid_pwd_character.html");
  }

  // Check that the new password contains both letters and digits
  if (!isAlphaAndNumeric($newpass))
  {
    errorDisplay("invalid_pwd_character.html");
  }
  
  if (!isUsernameValid($accountname))
  {
    errorDisplay("invalid_username.html");
  }

  if (!isPasswordValid($oldpass))
  {
    errorDisplay("invalid_pwd_character.html");
  }
  
  if (!isPasswordValid($newpass))
  {
    errorDisplay("invalid_pwd_character.html");
  }

  // ----------------------------------------------------------  
  // Now verify that username and old password authenticate
  // ----------------------------------------------------------
  $command = "vauthenticate '$accountname'";

  $descriptorspec = array(
   0 => array("pipe", "r"),  // stdin is a pipe that the child will read from
   1 => array("pipe", "w"),  // stdout is a pipe that the child will write to
   2 => array("file", "/tmp/error-output.txt", "a") // stderr is a file to write to
  );
  $process = proc_open($command, $descriptorspec, $pipes);
  if (is_resource($process))
  {
    // $pipes now looks like this:
    // 0 => writeable handle connected to child stdin
    // 1 => readable handle connected to child stdout
    // Any error output will be appended to /tmp/error-output.txt

    fwrite($pipes[0], $oldpass . "\n");
    fclose($pipes[0]);
    fclose($pipes[1]);
    // It is important that you close any pipes before calling
    // proc_close in order to avoid a deadlock
    $return_value = proc_close($process);

    if ($return_value)
    {
      errorDisplay("failed_authenticate.html");
    }
  }

  // ----------------------------------------------------------  
  // Username/ old password authenticated; change to new password
  // ----------------------------------------------------------
  $command = "vpasswd '$accountname'";
  $process = proc_open($command, $descriptorspec, $pipes);
  if (is_resource($process))
  {
    fwrite($pipes[0], $newpass . "\n");
    fclose($pipes[0]);
    fclose($pipes[1]);
    // It is important that you close any pipes before calling
    // proc_close in order to avoid a deadlock
    $return_value = proc_close($process);

    if (!$return_value)
    {
      $success_url = $base_url . "/success.html";
      displayResultPage($success_url);
    }
    else
    {
      errorDisplay();
    }
  }

  // ----------------------------------------------------------  
  // End of Script
  // ----------------------------------------------------------
?>