From 30f6faf00624251f7ac69fc86e9f3c5a01ad5d90 Mon Sep 17 00:00:00 2001 From: Christopher Smith Date: Wed, 16 Oct 2013 15:22:58 +0100 Subject: update for deprecated '/e' flag in preg_replace (php 5.5) --- inc/auth.php | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) (limited to 'inc/auth.php') diff --git a/inc/auth.php b/inc/auth.php index 36fc7d086..ac079c574 100644 --- a/inc/auth.php +++ b/inc/auth.php @@ -808,14 +808,14 @@ function auth_nameencode($name, $skip_group = false) { if(!isset($cache[$name][$skip_group])) { if($skip_group && $name{0} == '@') { - $cache[$name][$skip_group] = '@'.preg_replace( - '/([\x00-\x2f\x3a-\x40\x5b-\x60\x7b-\x7f])/e', - "'%'.dechex(ord(substr('\\1',-1)))", substr($name, 1) + $cache[$name][$skip_group] = '@'.preg_replace_callback( + '/([\x00-\x2f\x3a-\x40\x5b-\x60\x7b-\x7f])/', + 'auth_nameencode_callback', substr($name, 1) ); } else { - $cache[$name][$skip_group] = preg_replace( - '/([\x00-\x2f\x3a-\x40\x5b-\x60\x7b-\x7f])/e', - "'%'.dechex(ord(substr('\\1',-1)))", $name + $cache[$name][$skip_group] = preg_replace_callback( + '/([\x00-\x2f\x3a-\x40\x5b-\x60\x7b-\x7f])/', + 'auth_nameencode_callback', $name ); } } @@ -823,6 +823,10 @@ function auth_nameencode($name, $skip_group = false) { return $cache[$name][$skip_group]; } +function auth_nameencode_callback($matches) { + return '%'.dechex(ord(substr($matches[1],-1))); +} + /** * Create a pronouncable password * -- cgit v1.2.3 From 443e135d59e9d227eec818dabf9ee64d7a73d474 Mon Sep 17 00:00:00 2001 From: Christopher Smith Date: Wed, 16 Oct 2013 22:04:01 +0100 Subject: replace boolean conditional checks on possibly uninitialized vars with \!empty/empty/isset as appropriate --- inc/auth.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'inc/auth.php') diff --git a/inc/auth.php b/inc/auth.php index ac079c574..0d42c8673 100644 --- a/inc/auth.php +++ b/inc/auth.php @@ -139,10 +139,10 @@ function auth_loadACL() { $out = array(); foreach($acl as $line) { $line = trim($line); - if($line{0} == '#') continue; + if(empty($line) || ($line{0} == '#')) continue; // skip blank lines & comments list($id,$rest) = preg_split('/\s+/',$line,2); - // substitue user wildcard first (its 1:1) + // substitute user wildcard first (its 1:1) if(strstr($line, '%USER%')){ // if user is not logged in, this ACL line is meaningless - skip it if (!isset($_SERVER['REMOTE_USER'])) continue; -- cgit v1.2.3 From 21c3090a76ebde3117ae1dcb9f503fe3a61c1c02 Mon Sep 17 00:00:00 2001 From: Christopher Smith Date: Mon, 21 Oct 2013 23:32:15 +0100 Subject: replace \s, \S with [ \t], [^ \t] in regexs used with acls --- inc/auth.php | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) (limited to 'inc/auth.php') diff --git a/inc/auth.php b/inc/auth.php index 0d42c8673..b793f5d12 100644 --- a/inc/auth.php +++ b/inc/auth.php @@ -140,7 +140,7 @@ function auth_loadACL() { foreach($acl as $line) { $line = trim($line); if(empty($line) || ($line{0} == '#')) continue; // skip blank lines & comments - list($id,$rest) = preg_split('/\s+/',$line,2); + list($id,$rest) = preg_split('/[ \t]+/',$line,2); // substitute user wildcard first (its 1:1) if(strstr($line, '%USER%')){ @@ -716,11 +716,11 @@ function auth_aclcheck($id, $user, $groups) { } //check exact match first - $matches = preg_grep('/^'.preg_quote($id, '/').'\s+(\S+)\s+/u', $AUTH_ACL); + $matches = preg_grep('/^'.preg_quote($id, '/').'[ \t]+([^ \t]+)[ \t]+/', $AUTH_ACL); if(count($matches)) { foreach($matches as $match) { $match = preg_replace('/#.*$/', '', $match); //ignore comments - $acl = preg_split('/\s+/', $match); + $acl = preg_split('/[ \t]+/', $match); if(!$auth->isCaseSensitive() && $acl[1] !== '@ALL') { $acl[1] = utf8_strtolower($acl[1]); } @@ -746,11 +746,11 @@ function auth_aclcheck($id, $user, $groups) { } do { - $matches = preg_grep('/^'.preg_quote($path, '/').'\s+(\S+)\s+/u', $AUTH_ACL); + $matches = preg_grep('/^'.preg_quote($path, '/').'[ \t]+([^ \t]+)[ \t]+/', $AUTH_ACL); if(count($matches)) { foreach($matches as $match) { $match = preg_replace('/#.*$/', '', $match); //ignore comments - $acl = preg_split('/\s+/', $match); + $acl = preg_split('/[ \t]+/', $match); if(!$auth->isCaseSensitive() && $acl[1] !== '@ALL') { $acl[1] = utf8_strtolower($acl[1]); } -- cgit v1.2.3 From c17acc9f11cd61909a9395b560e759686c7717e6 Mon Sep 17 00:00:00 2001 From: Andreas Gohr Date: Sun, 5 Jan 2014 19:09:34 +0100 Subject: AUTH_ACL_CHECK event around ACL checking allows to modify ACL results in the AFTER event or to implement a completely different ACL mechanism in the BEFORE event. --- inc/auth.php | 28 +++++++++++++++++++++++++--- 1 file changed, 25 insertions(+), 3 deletions(-) (limited to 'inc/auth.php') diff --git a/inc/auth.php b/inc/auth.php index b793f5d12..6000ea6d7 100644 --- a/inc/auth.php +++ b/inc/auth.php @@ -661,17 +661,39 @@ function auth_quickaclcheck($id) { } /** - * Returns the maximum rights a user has for - * the given ID or its namespace + * Returns the maximum rights a user has for the given ID or its namespace * * @author Andreas Gohr - * + * @triggers AUTH_ACL_CHECK * @param string $id page ID (needs to be resolved and cleaned) * @param string $user Username * @param array|null $groups Array of groups the user is in * @return int permission level */ function auth_aclcheck($id, $user, $groups) { + $data = array( + 'id' => $id, + 'user' => $user, + 'groups' => $groups + ); + + return trigger_event('AUTH_ACL_CHECK', $data, 'auth_aclcheck_cb'); +} + +/** + * default ACL check method + * + * DO NOT CALL DIRECTLY, use auth_aclcheck() instead + * + * @author Andreas Gohr + * @param array $data event data + * @return int permission level + */ +function auth_aclcheck_cb($data) { + $id =& $data['id']; + $user =& $data['user']; + $groups =& $data['groups']; + global $conf; global $AUTH_ACL; /* @var DokuWiki_Auth_Plugin $auth */ -- cgit v1.2.3 From 04d68ae4edcddca8a3c30ed4ce6c72d28440a084 Mon Sep 17 00:00:00 2001 From: Gerrit Uitslag Date: Thu, 20 Feb 2014 14:08:02 +0100 Subject: PHPDocs auth.php --- inc/auth.php | 11 +++++++++++ 1 file changed, 11 insertions(+) (limited to 'inc/auth.php') diff --git a/inc/auth.php b/inc/auth.php index 6000ea6d7..8fde129aa 100644 --- a/inc/auth.php +++ b/inc/auth.php @@ -845,6 +845,12 @@ function auth_nameencode($name, $skip_group = false) { return $cache[$name][$skip_group]; } +/** + * callback encodes the matches + * + * @param array $matches first complete match, next matching subpatterms + * @return string + */ function auth_nameencode_callback($matches) { return '%'.dechex(ord(substr($matches[1],-1))); } @@ -1075,6 +1081,11 @@ function updateprofile() { return false; } +/** + * Delete the current logged-in user + * + * @return bool true on success, false on any error + */ function auth_deleteprofile(){ global $conf; global $lang; -- cgit v1.2.3 From 55a71a16cbfacd3836ca70e37e45f85bd44ceab1 Mon Sep 17 00:00:00 2001 From: Gerrit Uitslag Date: Tue, 4 Mar 2014 21:14:24 +0100 Subject: removed pre PHP 5.2 code wrt setcookie and session setting - moved cookiedir determination in the if-statement --- inc/auth.php | 13 +++---------- 1 file changed, 3 insertions(+), 10 deletions(-) (limited to 'inc/auth.php') diff --git a/inc/auth.php b/inc/auth.php index 8fde129aa..6c4636b2f 100644 --- a/inc/auth.php +++ b/inc/auth.php @@ -528,11 +528,7 @@ function auth_logoff($keepbc = false) { $USERINFO = null; //FIXME $cookieDir = empty($conf['cookiedir']) ? DOKU_REL : $conf['cookiedir']; - if(version_compare(PHP_VERSION, '5.2.0', '>')) { - setcookie(DOKU_COOKIE, '', time() - 600000, $cookieDir, '', ($conf['securecookie'] && is_ssl()), true); - } else { - setcookie(DOKU_COOKIE, '', time() - 600000, $cookieDir, '', ($conf['securecookie'] && is_ssl())); - } + setcookie(DOKU_COOKIE, '', time() - 600000, $cookieDir, '', ($conf['securecookie'] && is_ssl()), true); if($auth) $auth->logOff(); } @@ -1319,11 +1315,8 @@ function auth_setCookie($user, $pass, $sticky) { $cookie = base64_encode($user).'|'.((int) $sticky).'|'.base64_encode($pass); $cookieDir = empty($conf['cookiedir']) ? DOKU_REL : $conf['cookiedir']; $time = $sticky ? (time() + 60 * 60 * 24 * 365) : 0; //one year - if(version_compare(PHP_VERSION, '5.2.0', '>')) { - setcookie(DOKU_COOKIE, $cookie, $time, $cookieDir, '', ($conf['securecookie'] && is_ssl()), true); - } else { - setcookie(DOKU_COOKIE, $cookie, $time, $cookieDir, '', ($conf['securecookie'] && is_ssl())); - } + setcookie(DOKU_COOKIE, $cookie, $time, $cookieDir, '', ($conf['securecookie'] && is_ssl()), true); + // set session $_SESSION[DOKU_COOKIE]['auth']['user'] = $user; $_SESSION[DOKU_COOKIE]['auth']['pass'] = sha1($pass); -- cgit v1.2.3 From f87b5dbbbad408da775ac4c60ceb9f9666280527 Mon Sep 17 00:00:00 2001 From: Christopher Smith Date: Wed, 5 Mar 2014 22:04:14 +0000 Subject: use isset() + ?: or error suppression where value may not be set --- inc/auth.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'inc/auth.php') diff --git a/inc/auth.php b/inc/auth.php index 6c4636b2f..e44e837a7 100644 --- a/inc/auth.php +++ b/inc/auth.php @@ -325,7 +325,7 @@ function auth_browseruid() { $uid = ''; $uid .= $_SERVER['HTTP_USER_AGENT']; $uid .= $_SERVER['HTTP_ACCEPT_ENCODING']; - $uid .= $_SERVER['HTTP_ACCEPT_CHARSET']; + $uid .= @$_SERVER['HTTP_ACCEPT_CHARSET']; $uid .= substr($ip, 0, strpos($ip, '.')); $uid = strtolower($uid); return md5($uid); -- cgit v1.2.3 From 585bf44e2b756eac2e1cfce7035ef237bc02a788 Mon Sep 17 00:00:00 2001 From: Christopher Smith Date: Thu, 6 Mar 2014 19:55:56 +0000 Subject: amend $_SERVER to $INPUT->server --- inc/auth.php | 54 +++++++++++++++++++++++++++++++++++------------------- 1 file changed, 35 insertions(+), 19 deletions(-) (limited to 'inc/auth.php') diff --git a/inc/auth.php b/inc/auth.php index e44e837a7..2bdc3eb00 100644 --- a/inc/auth.php +++ b/inc/auth.php @@ -131,6 +131,8 @@ function auth_setup() { function auth_loadACL() { global $config_cascade; global $USERINFO; + /* @var Input $INPUT */ + global $INPUT; if(!is_readable($config_cascade['acl']['default'])) return array(); @@ -145,10 +147,10 @@ function auth_loadACL() { // substitute user wildcard first (its 1:1) if(strstr($line, '%USER%')){ // if user is not logged in, this ACL line is meaningless - skip it - if (!isset($_SERVER['REMOTE_USER'])) continue; + if (!$INPUT->server->has('REMOTE_USER')) continue; - $id = str_replace('%USER%',cleanID($_SERVER['REMOTE_USER']),$id); - $rest = str_replace('%USER%',auth_nameencode($_SERVER['REMOTE_USER']),$rest); + $id = str_replace('%USER%',cleanID($INPUT->server->str('REMOTE_USER')),$id); + $rest = str_replace('%USER%',auth_nameencode($INPUT->server->str('REMOTE_USER')),$rest); } // substitute group wildcard (its 1:m) @@ -217,6 +219,8 @@ function auth_login($user, $pass, $sticky = false, $silent = false) { global $lang; /* @var DokuWiki_Auth_Plugin $auth */ global $auth; + /* @var Input $INPUT */ + global $INPUT; $sticky ? $sticky = true : $sticky = false; //sanity check @@ -226,7 +230,7 @@ function auth_login($user, $pass, $sticky = false, $silent = false) { //usual login if($auth->checkPass($user, $pass)) { // make logininfo globally available - $_SERVER['REMOTE_USER'] = $user; + $INPUT->server->set('REMOTE_USER', $user); $secret = auth_cookiesalt(!$sticky, true); //bind non-sticky to session auth_setCookie($user, auth_encrypt($pass, $secret), $sticky); return true; @@ -253,7 +257,7 @@ function auth_login($user, $pass, $sticky = false, $silent = false) { ) { // he has session, cookie and browser right - let him in - $_SERVER['REMOTE_USER'] = $user; + $INPUT->server->set('REMOTE_USER', $user); $USERINFO = $session['info']; //FIXME move all references to session return true; } @@ -288,7 +292,10 @@ function auth_validateToken($token) { } // still here? trust the session data global $USERINFO; - $_SERVER['REMOTE_USER'] = $_SESSION[DOKU_COOKIE]['auth']['user']; + /* @var Input $INPUT */ + global $INPUT; + + $INPUT->server->set('REMOTE_USER',$_SESSION[DOKU_COOKIE]['auth']['user']); $USERINFO = $_SESSION[DOKU_COOKIE]['auth']['info']; return true; } @@ -321,11 +328,14 @@ function auth_createToken() { * @return string a MD5 sum of various browser headers */ function auth_browseruid() { + /* @var Input $INPUT */ + global $INPUT; + $ip = clientIP(true); $uid = ''; - $uid .= $_SERVER['HTTP_USER_AGENT']; - $uid .= $_SERVER['HTTP_ACCEPT_ENCODING']; - $uid .= @$_SERVER['HTTP_ACCEPT_CHARSET']; + $uid .= $INPUT->server->str('HTTP_USER_AGENT'); + $uid .= $INPUT->server->str('HTTP_ACCEPT_ENCODING'); + $uid .= $INPUT->server->str('HTTP_ACCEPT_CHARSET'); $uid .= substr($ip, 0, strpos($ip, '.')); $uid = strtolower($uid); return md5($uid); @@ -511,6 +521,8 @@ function auth_logoff($keepbc = false) { global $USERINFO; /* @var DokuWiki_Auth_Plugin $auth */ global $auth; + /* @var Input $INPUT */ + global $INPUT; // make sure the session is writable (it usually is) @session_start(); @@ -523,8 +535,7 @@ function auth_logoff($keepbc = false) { unset($_SESSION[DOKU_COOKIE]['auth']['info']); if(!$keepbc && isset($_SESSION[DOKU_COOKIE]['bc'])) unset($_SESSION[DOKU_COOKIE]['bc']); - if(isset($_SERVER['REMOTE_USER'])) - unset($_SERVER['REMOTE_USER']); + $INPUT->server->remove('REMOTE_USER'); $USERINFO = null; //FIXME $cookieDir = empty($conf['cookiedir']) ? DOKU_REL : $conf['cookiedir']; @@ -553,13 +564,16 @@ function auth_ismanager($user = null, $groups = null, $adminonly = false) { global $USERINFO; /* @var DokuWiki_Auth_Plugin $auth */ global $auth; + /* @var Input $INPUT */ + global $INPUT; + if(!$auth) return false; if(is_null($user)) { - if(!isset($_SERVER['REMOTE_USER'])) { + if(!$INPUT->server->has('REMOTE_USER')) { return false; } else { - $user = $_SERVER['REMOTE_USER']; + $user = $INPUT->server->str('REMOTE_USER'); } } if(is_null($groups)) { @@ -651,9 +665,11 @@ function auth_isMember($memberlist, $user, array $groups) { function auth_quickaclcheck($id) { global $conf; global $USERINFO; + /* @var Input $INPUT */ + global $INPUT; # if no ACL is used always return upload rights if(!$conf['useacl']) return AUTH_UPLOAD; - return auth_aclcheck($id, $_SERVER['REMOTE_USER'], $USERINFO['grps']); + return auth_aclcheck($id, $INPUT->server->str('REMOTE_USER'), $USERINFO['grps']); } /** @@ -1058,18 +1074,18 @@ function updateprofile() { } if($conf['profileconfirm']) { - if(!$auth->checkPass($_SERVER['REMOTE_USER'], $INPUT->post->str('oldpass'))) { + if(!$auth->checkPass($INPUT->server->str('REMOTE_USER'), $INPUT->post->str('oldpass'))) { msg($lang['badpassconfirm'], -1); return false; } } - if($result = $auth->triggerUserMod('modify', array($_SERVER['REMOTE_USER'], $changes))) { + if($result = $auth->triggerUserMod('modify', array($INPUT->server->str('REMOTE_USER'), $changes))) { // update cookie and session with the changed data if($changes['pass']) { list( /*user*/, $sticky, /*pass*/) = auth_getCookie(); $pass = auth_encrypt($changes['pass'], auth_cookiesalt(!$sticky, true)); - auth_setCookie($_SERVER['REMOTE_USER'], $pass, (bool) $sticky); + auth_setCookie($INPUT->server->str('REMOTE_USER'), $pass, (bool) $sticky); } return true; } @@ -1105,13 +1121,13 @@ function auth_deleteprofile(){ } if($conf['profileconfirm']) { - if(!$auth->checkPass($_SERVER['REMOTE_USER'], $INPUT->post->str('oldpass'))) { + if(!$auth->checkPass($INPUT->server->str('REMOTE_USER'), $INPUT->post->str('oldpass'))) { msg($lang['badpassconfirm'], -1); return false; } } - $deleted[] = $_SERVER['REMOTE_USER']; + $deleted[] = $INPUT->server->str('REMOTE_USER'); if($auth->triggerUserMod('delete', array($deleted))) { // force and immediate logout including removing the sticky cookie auth_logoff(); -- cgit v1.2.3