Fixed an XSS vulnerability that can be triggered if an attacker has the ability to change the real name of a Unix user.
---- Changes since 1.550 ----
Updated all links to users and groups to be by name instead of by index, to avoid incorrect links if the passwd or group files are changed manually or by another Webmin session.
+The faster lastlog command is now used to get the most recent login time on Linux, for display in the user list.
}
}
+# os_most_recent_logins()
+# Returns hash ref from username to the most recent login as time string
+sub os_most_recent_logins
+{
+my %rv;
+open(LASTLOG, "LANG=C lastlog |");
+while(<LASTLOG>) {
+ s/\r|\n//g;
+ if (/^(\S+)/) {
+ my $user = $1;
+ if (/((\S+)\s+(\S+)\s+\d+\s+(\d+):(\d+):(\d+)\s+([\-\+]\d+)\s+(\d+))/) {
+ # Have a date to parse
+ $rv{$user} = $1;
+ }
+ else {
+ $rv{$user} = undef;
+ }
+ }
+ }
+close(LASTLOG);
+return \%rv;
+}
+
# logged_in_users()
# Returns a list of hashes containing details of logged-in users
sub logged_in_users
$text{'shell'},
$lshow ? ( $text{'lastlogin'} ) : ( )
], 100, 0, \@tds);
-local %llogin;
+local $llogin;
if ($lshow) {
- local $l;
- foreach $l (&list_last_logins()) {
- $llogin{$l->[0]} ||= $l->[3];
+ $llogin = &get_recent_logins();
+ if (&foreign_check("mailboxes")) {
+ &foreign_require("mailboxes");
}
}
local $u;
push(@cols, &html_escape($u->{'real'}));
push(@cols, &html_escape($u->{'home'}));
push(@cols, &html_escape($u->{'shell'}));
- push(@cols, &html_escape($llogin{$u->{'user'}})) if ($lshow);
+ if ($lshow) {
+ # Show last login, in local format after Unix time conversion
+ my $ll = $llogin->{$u->{'user'}};
+ if (defined(&mailboxes::parse_mail_date)) {
+ my $tm = &mailboxes::parse_mail_date($ll);
+ if ($tm) {
+ $ll = &make_date($tm);
+ }
+ }
+ push(@cols, &html_escape($ll));
+ }
if ($u->{'noedit'}) {
print &ui_columns_row(\@cols, \@tds);
}
return @rv;
}
+=head2 get_recent_logins()
+
+Returns a hash ref from username to most recent login time/date
+
+=cut
+sub get_recent_logins
+{
+if (defined(&os_most_recent_logins)) {
+ return &os_most_recent_logins();
+ }
+else {
+ my %rv;
+ foreach my $l (&list_last_logins()) {
+ $rv{$l->[0]} ||= $l->[3];
+ }
+ return \%rv;
+ }
+}
+
=head2 user_link(&user)
Returns a link to a user editing form. Mainly for internal use.