1c89f78d29754be687dde409ae19b4e743f85703
chinhli
  Fri Apr 5 10:43:10 2013 -0700
redmine #9752 #8920 A more secure and sharable sendmail utility mailViaPipe for hgLogin
diff --git src/hg/hgLogin/hgLogin.c src/hg/hgLogin/hgLogin.c
index 7bcd3d6..ed0d954 100644
--- src/hg/hgLogin/hgLogin.c
+++ src/hg/hgLogin/hgLogin.c
@@ -8,30 +8,31 @@
 #include "memalloc.h"
 #include "jksql.h"
 #include "htmshell.h"
 #include "cart.h"
 #include "hPrint.h"
 #include "hdb.h"
 #include "hui.h"
 #include "web.h"
 #include "ra.h"
 #include "hgColors.h"
 #include "net.h"
 #include "wikiLink.h"
 #include "hgLogin.h"
 #include "gbMembers.h"
 #include "versionInfo.h"
+#include "mailViaPipe.h"
 
 /* ---- Global variables. ---- */
 char msg[4096] = "";
 char *incorrectUsernameOrPassword="The username or password you entered is incorrect.";
 char *incorrectUsername="The username you entered is incorrect.";
 /* The excludeVars are not saved to the cart. */
 char *excludeVars[] = { "submit", "Submit", "debug", "fixMembers", "update", 
      "hgLogin_password", "hgLogin_password2", "hgLogin_newPassword1",
      "hgLogin_newPassword2", NULL };
 struct cart *cart;	/* This holds cgi and other variables between clicks. */
 char *database;		/* Name of genome database - hg15, mm3, or the like. */
 struct hash *oldCart;	/* Old cart hash. */
 char *errMsg;           /* Error message to show user when form data rejected */
 char brwName[64];
 char brwAddr[256];
@@ -82,46 +83,30 @@
 if isEmpty(cfgOption(CFG_LOGIN_MAIL_SIGNATURE))
     return cloneString("NULL_mailSignature");
 else
     return cloneString(cfgOption(CFG_LOGIN_MAIL_SIGNATURE));
 }
 
 char *mailReturnAddr()
 /* Return the return addr. to be used by outbound mail or NULL. Allocd here. */
 {
 if isEmpty(cfgOption(CFG_LOGIN_MAIL_RETURN_ADDR))
     return cloneString("NULL_mailReturnAddr");
 else
     return cloneString(cfgOption(CFG_LOGIN_MAIL_RETURN_ADDR));
 }
 
-int mailItOut(char *toAddr, char *subject, char *msg, char *fromAddr)
-/* send mail to toAddr address */
-{
-char cmd[4096];
-char fullMail[4096];
-safef(fullMail,sizeof(fullMail),
-    "From: %s\n"
-    "To: %s\n"
-    "Subject: %s\n"
-    "\n%s",
-    fromAddr, toAddr, subject, msg);
-safef(cmd,sizeof(cmd), "echo '%s' | /usr/sbin/sendmail -t -oi",fullMail);      
-int result = system(cmd);
-return result;
-}
-
 /* ---- password functions depend on optionally installed openssl lib ---- */
 #ifdef USE_SSL
 #include <openssl/md5.h>
 
 void cryptWikiWay(char *password, char *salt, char* result)
 /* encrypt password in mediawiki format - 
    ':B:'.$salt.':'. md5($salt.'-'.md5($password ) */
 {
 int i;
 unsigned char result1[MD5_DIGEST_LENGTH];
 unsigned char result2[MD5_DIGEST_LENGTH];
 char firstMD5[MD5_DIGEST_LENGTH*2 + 1];
 char secondMD5[MD5_DIGEST_LENGTH*2 + 1];
 i = MD5_DIGEST_LENGTH;
 MD5((unsigned char *)password, strlen(password), result1);
@@ -374,31 +359,31 @@
     "<h2>%s</h2>", brwName);
 hPrintf(
     "<p id=\"confirmationMsg\" class=\"confirmationTxt\">A confirmation email has been sent to you. \n"
     "Please click the confirmation link in the email to activate your account.</p>"
     "\n"
     "<p><a href=\"%s\">Return</a></p>", returnURL);
 cartRemove(cart, "hgLogin_email");
 cartRemove(cart, "hgLogin_userName");
 }
 
 void sendActMailOut(char *email, char *subject, char *msg)
 /* send mail to email address */
 {
 char *hgLoginHost = wikiLinkHost();
 int result;
-result = mailItOut(email, subject, msg, returnAddr);
+result = mailViaPipe(email, subject, msg, returnAddr);
 
 if (result == -1)
     {
     hPrintf(
         "<h2>%s</h2>", brwName);
     hPrintf(
         "<p align=\"left\">"
         "</p>"
         "<h3>Error emailing to: %s</h3>"
         "Click <a href=hgLogin?hgLogin.do.displayAccHelpPage=1>here</a> to return.<br>", email );
     }
 else
     {
     hPrintf("<script  language=\"JavaScript\">\n"
         "<!-- \n"
@@ -444,31 +429,31 @@
 hPrintf(
     "<p><a href=\"hgLogin?hgLogin.do.displayLoginPage=1\">Return to Login</a></p>");
 cartRemove(cart, "hgLogin_helpWith");
 cartRemove(cart, "hgLogin_email");
 cartRemove(cart, "hgLogin_userName");
 cartRemove(cart, "hgLogin_sendMailTo");
 cartRemove(cart, "hgLogin_sendMailContain");
 }
 
 void sendMailOut(char *email, char *subject, char *msg)
 /* send mail to email address */
 {
 char *hgLoginHost = wikiLinkHost();
 char *obj = cartUsualString(cart, "hgLogin_helpWith", "");
 int result;
-result = mailItOut(email, subject, msg, returnAddr);
+result = mailViaPipe(email, subject, msg, returnAddr);
 if (result == -1)
     {
     hPrintf( 
         "<h2>%s</h2>", brwName);
     hPrintf(
         "<p align=\"left\">"
         "</p>"
         "<h3>Error emailing %s to: %s</h3>"
         "Click <a href=hgLogin?hgLogin.do.displayAccHelpPage=1>here</a> to return.<br>", 
         obj, email );
     }
 else
     {
     hPrintf("<script  language=\"JavaScript\">\n"
         "<!-- \n"
@@ -511,61 +496,61 @@
     if (numUser >= 1)
         safecat(userList, sizeof(userList), ", ");
     safecat(userList, sizeof(userList), m->userName);
     numUser += 1;
     }
 sqlFreeResult(&sr);
 mailUsername(email, userList);
 }
 
 void sendPwdMailOut(char *email, char *subject, char *msg, char *username)
 /* send password reset mail to user at registered email address */
 {
 char *hgLoginHost = wikiLinkHost();
 char *obj = cartUsualString(cart, "hgLogin_helpWith", "");
 int result;
-result = mailItOut(email, subject, msg, returnAddr);
+result = mailViaPipe(email, subject, msg, returnAddr);
 if (result == -1)
     {
     hPrintf(
         "<h2>%s</h2>", brwName);
     hPrintf(
         "<p align=\"left\">"
         "</p>"
         "<h3>Error emailing %s to: %s</h3>"
         "Click <a href=hgLogin?hgLogin.do.displayAccHelpPage=1>here</a> to return.<br>",
         obj, email );
     }
 else
     {
     hPrintf("<script  language=\"JavaScript\">\n"
         "<!-- \n"
         "window.location =\"http://%s/cgi-bin/hgLogin?hgLogin.do.displayMailSuccessPwd=1&user=%s\""
         "//-->"
         "\n"
         "</script>", hgLoginHost, username);
     }
 }
 
 void sendNewPwdMail(char *username, char *email, char *password)
 /* send user new password */
 {
 char subject[256];
 char msg[4096];
 char *remoteAddr=getenv("REMOTE_ADDR");
 
-safef(subject, sizeof(subject),"New temporary password for %s", brwName);
+safef(subject, sizeof(subject),"New temporary password for %s", username);
 safef(msg, sizeof(msg),
     "  Someone (probably you, from IP address %s) requested a new password for %s (%s). A temporary password for user \"%s\" has been created and was set to \"%s\". If this was your intent, you will need to log in and choose a new password now. Your temporary password will expire in 7 days.\n\n  If someone else made this request, or if you have remembered your password, and you no longer wish to change it, you may ignore this message and continue using your old password.\n\n%s\n%s",
     remoteAddr, brwName, brwAddr, username, password, signature, returnAddr);
 sendPwdMailOut(email, subject, msg, username);
 }
 
 void displayAccHelpPage(struct sqlConnection *conn)
 /* draw the account help page */
 {
 char *email = cartUsualString(cart, "hgLogin_email", "");
 char *username = cartUsualString(cart, "hgLogin_userName", "");
 
 hPrintf("<script  language=\"JavaScript\">\n"
     "<!-- "
     "\n"