password transmission via tmp files

2025-08-14 18:49:17 -07:00 · 2015-03-31 00:01:44 +03:00 · 2015-03-31 00:01:44 +03:00 · 1a7612cc66
commit 1a7612cc66
parent 1021bd4ab2
14 changed files with 172 additions and 87 deletions
--- a/web/reset/index.php
+++ b/web/reset/index.php
@ -43,15 +43,19 @@ if ((!empty($_POST['user'])) && (!empty($_POST['code'])) && (!empty($_POST['pass
    if ( $_POST['password'] == $_POST['password_confirm'] ) {
        $v_user = escapeshellarg($_POST['user']);
        $user = $_POST['user'];
-        $v_password = escapeshellarg($_POST['password']);
        $cmd="/usr/bin/sudo /usr/local/vesta/bin/v-list-user";
        exec ($cmd." ".$v_user." json", $output, $return_var);
        if ( $return_var == 0 ) {
            $data = json_decode(implode('', $output), true);
            $rkey = $data[$user]['RKEY'];
            if ($rkey == $_POST['code']) {
+                $v_password = tempnam("/tmp","vst");
+                $fp = fopen($v_password, "w");
+                fwrite($fp, $_POST['password']."\n");
+                fclose($fp);
                $cmd="/usr/bin/sudo /usr/local/vesta/bin/v-change-user-password";
                exec ($cmd." ".$v_user." ".$v_password, $output, $return_var);
+                unlink($v_password);
                if ( $return_var > 0 ) {
                    $ERROR = "<a class=\"error\">".__('An internal error occurred')."</a>";
                } else {