From e71b0ef705b86bb653fcae43e6845acbe6fd7fd2 Mon Sep 17 00:00:00 2001 From: Guy Brand Date: Sun, 17 Mar 2013 19:22:37 +0100 Subject: backward compatibility for old authtype settings --- inc/auth.php | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) (limited to 'inc/auth.php') diff --git a/inc/auth.php b/inc/auth.php index 68b6b438d..0713ca6af 100644 --- a/inc/auth.php +++ b/inc/auth.php @@ -48,10 +48,15 @@ function auth_setup() { // try to load auth backend from plugins foreach ($plugin_controller->getList('auth') as $plugin) { - if ($conf['authtype'] === $plugin) { - $auth = $plugin_controller->load('auth', $plugin); - break; - } + if ($conf['authtype'] === $plugin) { + $auth = $plugin_controller->load('auth', $plugin); + break; + } elseif ('auth' . $conf['authtype'] === $plugin) { + // matches old auth backends (pre-Weatherwax) + $auth = $plugin_controller->load('auth', $plugin); + msg('Your authtype setting is deprecated. You must set $conf[\'authconfig\'] = ' . "auth" . $conf['authtype'] + . ' in your config (see Authentication Backends)',-1); + } } if(!isset($auth) || !$auth){ -- cgit v1.2.3 From 0b2e0a720d550ed8e96ffcdc62cbbffe78d27c21 Mon Sep 17 00:00:00 2001 From: Christopher Smith Date: Mon, 1 Apr 2013 17:03:25 +0100 Subject: restrict 'authtype deprecated' alert to superusers only --- inc/auth.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'inc/auth.php') diff --git a/inc/auth.php b/inc/auth.php index 0713ca6af..9f180fc94 100644 --- a/inc/auth.php +++ b/inc/auth.php @@ -55,7 +55,7 @@ function auth_setup() { // matches old auth backends (pre-Weatherwax) $auth = $plugin_controller->load('auth', $plugin); msg('Your authtype setting is deprecated. You must set $conf[\'authconfig\'] = ' . "auth" . $conf['authtype'] - . ' in your config (see Authentication Backends)',-1); + . ' in your config (see Authentication Backends)',-1,'','',MSG_ADMINS_ONLY); } } -- cgit v1.2.3 From 98e31f853f43d94c5bd1d3ab79388c44ce29ce0a Mon Sep 17 00:00:00 2001 From: Klap-in Date: Wed, 15 May 2013 16:51:44 +0200 Subject: Fix wrong config key in deprecated auth message --- inc/auth.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'inc/auth.php') diff --git a/inc/auth.php b/inc/auth.php index 9f180fc94..3f1f7925b 100644 --- a/inc/auth.php +++ b/inc/auth.php @@ -54,8 +54,8 @@ function auth_setup() { } elseif ('auth' . $conf['authtype'] === $plugin) { // matches old auth backends (pre-Weatherwax) $auth = $plugin_controller->load('auth', $plugin); - msg('Your authtype setting is deprecated. You must set $conf[\'authconfig\'] = ' . "auth" . $conf['authtype'] - . ' in your config (see Authentication Backends)',-1,'','',MSG_ADMINS_ONLY); + msg('Your authtype setting is deprecated. You must set $conf[\'authtype\'] = ' . "auth" . $conf['authtype'] + . ' in your configuration (see Authentication Backends)',-1,'','',MSG_ADMINS_ONLY); } } -- cgit v1.2.3 From a91f1103e66d9f28375fc94de05ebbcde454950d Mon Sep 17 00:00:00 2001 From: Anika Henke Date: Mon, 27 May 2013 16:39:54 +0100 Subject: fixed wrong use of quotes in authtype warning message --- inc/auth.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'inc/auth.php') diff --git a/inc/auth.php b/inc/auth.php index 3f1f7925b..af9f35b38 100644 --- a/inc/auth.php +++ b/inc/auth.php @@ -54,7 +54,7 @@ function auth_setup() { } elseif ('auth' . $conf['authtype'] === $plugin) { // matches old auth backends (pre-Weatherwax) $auth = $plugin_controller->load('auth', $plugin); - msg('Your authtype setting is deprecated. You must set $conf[\'authtype\'] = ' . "auth" . $conf['authtype'] + msg('Your authtype setting is deprecated. You must set $conf[\'authtype\'] = "auth' . $conf['authtype'] . '"' . ' in your configuration (see Authentication Backends)',-1,'','',MSG_ADMINS_ONLY); } } -- cgit v1.2.3 From 8fcfc7abfd65ccd920753bee341c6bfdebcecd99 Mon Sep 17 00:00:00 2001 From: Andreas Gohr Date: Fri, 31 May 2013 09:29:08 +0200 Subject: use HMAC in password reset token FS#2794 --- inc/auth.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'inc/auth.php') diff --git a/inc/auth.php b/inc/auth.php index af9f35b38..dac67bcb7 100644 --- a/inc/auth.php +++ b/inc/auth.php @@ -993,7 +993,7 @@ function act_resendpwd() { } // generate auth token - $token = md5(auth_cookiesalt().$user); //secret but user based + $token = PassHash::hmac('md5', $user, auth_cookiesalt()); //secret but user based $tfile = $conf['cachedir'].'/'.$token{0}.'/'.$token.'.pwauth'; $url = wl('', array('do'=> 'resendpwd', 'pwauth'=> $token), true, '&'); -- cgit v1.2.3 From 183a7b8845875e4a6b67e466cfff9f5163da3f17 Mon Sep 17 00:00:00 2001 From: Andreas Gohr Date: Fri, 31 May 2013 14:43:31 +0200 Subject: make password reset token completely random No need for HMAC here because there's no length attack vector here. We only care for the existance of the file and each reset request is completely (random) independent from each other. --- inc/auth.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'inc/auth.php') diff --git a/inc/auth.php b/inc/auth.php index dac67bcb7..1f8489f03 100644 --- a/inc/auth.php +++ b/inc/auth.php @@ -993,7 +993,7 @@ function act_resendpwd() { } // generate auth token - $token = PassHash::hmac('md5', $user, auth_cookiesalt()); //secret but user based + $token = md5(uniqid(mt_rand(), true)); // random secret $tfile = $conf['cachedir'].'/'.$token{0}.'/'.$token.'.pwauth'; $url = wl('', array('do'=> 'resendpwd', 'pwauth'=> $token), true, '&'); -- cgit v1.2.3