From e3776c06c37cc197709dac60892604dfea894ac2 Mon Sep 17 00:00:00 2001 From: Michael Hamann Date: Mon, 29 Nov 2010 01:34:36 +0100 Subject: Remove enc=utf-8 in VIM modeline as it is not allowed in VIM 7.3 As of VIM 7.3 it is no longer possible to specify the encoding in the modeline. This gives an error message whenever such a file is opened, thus this commit removes the enc setting from the modeline. --- inc/auth.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'inc/auth.php') diff --git a/inc/auth.php b/inc/auth.php index a2844a732..6bc4f8673 100644 --- a/inc/auth.php +++ b/inc/auth.php @@ -1117,4 +1117,4 @@ function auth_getCookie(){ return array($user,$sticky,$pass); } -//Setup VIM: ex: et ts=2 enc=utf-8 : +//Setup VIM: ex: et ts=2 : -- cgit v1.2.3 From fa7c70ff4d7f9999466436e7d559eb0c81571779 Mon Sep 17 00:00:00 2001 From: Adrian Lang Date: Wed, 8 Dec 2010 17:17:40 +0100 Subject: tmp --- inc/auth.php | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'inc/auth.php') diff --git a/inc/auth.php b/inc/auth.php index 6bc4f8673..f2de4424e 100644 --- a/inc/auth.php +++ b/inc/auth.php @@ -194,10 +194,11 @@ function auth_login($user,$pass,$sticky=false,$silent=false){ }else{ // read cookie information list($user,$sticky,$pass) = auth_getCookie(); - // get session info - $session = $_SESSION[DOKU_COOKIE]['auth']; if($user && $pass){ // we got a cookie - see if we can trust it + + // get session info + $session = $_SESSION[DOKU_COOKIE]['auth']; if(isset($session) && $auth->useSessionCache($user) && ($session['time'] >= time()-$conf['auth_security_timeout']) && -- cgit v1.2.3 From d6dc956f8c13064c5e638d5ba817123f66261cfe Mon Sep 17 00:00:00 2001 From: Andreas Gohr Date: Wed, 8 Dec 2010 23:41:59 +0100 Subject: added auth_isMember() This function abstracts checking a given user and her groups against a given member list (as used in the superuser and manager options). It is also used in auth_isManager() and auth_isAdmin(), unlike the previous function, this one skips the nameencode step as it should be unnessary here (all input is given decoded). The test cases where extended by some non-ID user and group names. People with non-plain auth backends should check that their administrator and manager setups still work as expected --- inc/auth.php | 106 +++++++++++++++++++++++++++++------------------------------ 1 file changed, 52 insertions(+), 54 deletions(-) (limited to 'inc/auth.php') diff --git a/inc/auth.php b/inc/auth.php index 6bc4f8673..c455fac0c 100644 --- a/inc/auth.php +++ b/inc/auth.php @@ -371,63 +371,15 @@ function auth_ismanager($user=null,$groups=null,$adminonly=false){ $user = $_SERVER['REMOTE_USER']; } } - $user = trim($auth->cleanUser($user)); - if($user === '') return false; - if(is_null($groups)) $groups = (array) $USERINFO['grps']; - $groups = array_map(array($auth,'cleanGroup'),$groups); - $user = auth_nameencode($user); - - // check username against superuser and manager - $superusers = explode(',', $conf['superuser']); - $superusers = array_unique($superusers); - $superusers = array_map('trim', $superusers); - $superusers = array_filter($superusers); - // prepare an array containing only true values for array_map call - $alltrue = array_fill(0, count($superusers), true); - $superusers = array_map('auth_nameencode', $superusers, $alltrue); - - // case insensitive? - if(!$auth->isCaseSensitive()){ - $superusers = array_map('utf8_strtolower',$superusers); - $user = utf8_strtolower($user); + if(is_null($groups)){ + $groups = (array) $USERINFO['grps']; } - // check user match - if(in_array($user, $superusers)) return true; - + // check superuser match + if(auth_isMember($conf['superuser'],$user, $groups)) return true; + if($adminonly) return false; // check managers - if(!$adminonly){ - $managers = explode(',', $conf['manager']); - $managers = array_unique($managers); - $managers = array_map('trim', $managers); - $managers = array_filter($managers); - // prepare an array containing only true values for array_map call - $alltrue = array_fill(0, count($managers), true); - $managers = array_map('auth_nameencode', $managers, $alltrue); - if(!$auth->isCaseSensitive()) $managers = array_map('utf8_strtolower',$managers); - if(in_array($user, $managers)) return true; - } - - // check user's groups against superuser and manager - if (!empty($groups)) { - - //prepend groups with @ and nameencode - $cnt = count($groups); - for($i=0; $i<$cnt; $i++){ - $groups[$i] = '@'.auth_nameencode($groups[$i]); - if(!$auth->isCaseSensitive()){ - $groups[$i] = utf8_strtolower($groups[$i]); - } - } - - // check groups against superuser and manager - foreach($superusers as $supu) - if(in_array($supu, $groups)) return true; - if(!$adminonly){ - foreach($managers as $mana) - if(in_array($mana, $groups)) return true; - } - } + if(auth_isMember($conf['manager'],$user, $groups)) return true; return false; } @@ -446,6 +398,52 @@ function auth_isadmin($user=null,$groups=null){ return auth_ismanager($user,$groups,true); } + +/** + * Match a user and his groups against a comma separated list of + * users and groups to determine membership status + * + * Note: all input should NOT be nameencoded. + * + * @param $memberlist string commaseparated list of allowed users and groups + * @param $user string user to match against + * @param $groups array groups the user is member of + * @returns bool true for membership acknowledged + */ +function auth_isMember($memberlist,$user,array $groups){ + global $auth; + if (!$auth) return false; + + // clean user and groups + if($auth->isCaseSensitive()){ + $user = utf8_strtolower($user); + $groups = array_map('utf8_strtolower',$groups); + } + $user = $auth->cleanUser($user); + $groups = array_map(array($auth,'cleanGroup'),$groups); + + // extract the memberlist + $members = explode(',',$memberlist); + $members = array_map('trim',$members); + $members = array_unique($members); + $members = array_filter($members); + + // compare cleaned values + foreach($members as $member){ + if($auth->isCaseSensitive()) $member = utf8_strtolower($member); + if($member[0] == '@'){ + $member = $auth->cleanGroup(substr($member,1)); + if(in_array($member, $groups)) return true; + }else{ + $member = $auth->cleanUser($member); + if($member == $user) return true; + } + } + + // still here? not a member! + return false; +} + /** * Convinience function for auth_aclcheck() * -- cgit v1.2.3 From 3e304b55d99607a2d4586c7a4f0219736d995478 Mon Sep 17 00:00:00 2001 From: Michael Hamann Date: Sat, 11 Dec 2010 00:08:51 +0100 Subject: preg_quote namespaces in auth_aclcheck Like ids namespaces are now preg_quoted in the acl check (and therefore the escaping of "*" has been removed). When plugins call the ACL check function with strange ids the regex fails otherwise (in the case of the include plugin errors like "Warning: preg_grep() [function.preg-grep]: Compilation failed: missing terminating ] for character class at offset 47" have been reported by two users). I've run the acl tests after this change and everything passes so this shouldn't break anything but please test this especially with protected wikis as this change modifies the code that handles namespace permissions. Furthermore permissions for a namespace foobar are no longer applied to namespaces with names like foo.ar, I hope nobody has used that "feature". When you are using per-user namespaces, user registration is open and either write or read protection for these namespaces is important to you this is a security fix for you: When someone wants to get access to the namespace of a user "foo.bar" he can register as "fooxbar" (where "x" is an arbitrary character) and will have access to the user namespace of the user "foo.bar" as when a page in "foo.bar" is checked it will match the rule for "fooxbar". --- inc/auth.php | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) (limited to 'inc/auth.php') diff --git a/inc/auth.php b/inc/auth.php index c455fac0c..fd2a9c66d 100644 --- a/inc/auth.php +++ b/inc/auth.php @@ -534,13 +534,13 @@ function auth_aclcheck($id,$user,$groups){ //still here? do the namespace checks if($ns){ - $path = $ns.':\*'; + $path = $ns.':*'; }else{ - $path = '\*'; //root document + $path = '*'; //root document } do{ - $matches = preg_grep('/^'.$path.'\s+('.$regexp.')\s+/'.$ci,$AUTH_ACL); + $matches = preg_grep('/^'.preg_quote($path,'/').'\s+('.$regexp.')\s+/'.$ci,$AUTH_ACL); if(count($matches)){ foreach($matches as $match){ $match = preg_replace('/#.*$/','',$match); //ignore comments @@ -557,9 +557,9 @@ function auth_aclcheck($id,$user,$groups){ //get next higher namespace $ns = getNS($ns); - if($path != '\*'){ - $path = $ns.':\*'; - if($path == ':\*') $path = '\*'; + if($path != '*'){ + $path = $ns.':*'; + if($path == ':*') $path = '*'; }else{ //we did this already //looks like there is something wrong with the ACL -- cgit v1.2.3 From 4f56ecbf9229ff893b58cf34012a9646a06f91c0 Mon Sep 17 00:00:00 2001 From: Adrian Lang Date: Tue, 21 Dec 2010 13:20:10 +0100 Subject: Fix handling of case in auth_isMember; add and fix test cases --- inc/auth.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'inc/auth.php') diff --git a/inc/auth.php b/inc/auth.php index fd2a9c66d..b3c20e6b9 100644 --- a/inc/auth.php +++ b/inc/auth.php @@ -415,7 +415,7 @@ function auth_isMember($memberlist,$user,array $groups){ if (!$auth) return false; // clean user and groups - if($auth->isCaseSensitive()){ + if(!$auth->isCaseSensitive()){ $user = utf8_strtolower($user); $groups = array_map('utf8_strtolower',$groups); } @@ -430,7 +430,7 @@ function auth_isMember($memberlist,$user,array $groups){ // compare cleaned values foreach($members as $member){ - if($auth->isCaseSensitive()) $member = utf8_strtolower($member); + if(!$auth->isCaseSensitive()) $member = utf8_strtolower($member); if($member[0] == '@'){ $member = $auth->cleanGroup(substr($member,1)); if(in_array($member, $groups)) return true; -- cgit v1.2.3 From f91977c212fd1c1645f521f6190e1ec32259f7a2 Mon Sep 17 00:00:00 2001 From: Andreas Gohr Date: Sat, 15 Jan 2011 12:24:14 +0100 Subject: Added support for Wordpress' password hashing FS#2134 --- inc/auth.php | 47 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 47 insertions(+) (limited to 'inc/auth.php') diff --git a/inc/auth.php b/inc/auth.php index 83d1d4159..5cdcec830 100644 --- a/inc/auth.php +++ b/inc/auth.php @@ -937,6 +937,8 @@ function act_resendpwd(){ * mysql - MySQL password (old method) * my411 - MySQL 4.1.1 password * kmd5 - Salted MD5 hashing as used by UNB + * pmd5 - Salted multi iteration MD5 as used by Wordpress + * hmd5 - Same as pmd5 but PhpBB3 flavour * * @author Andreas Gohr * @return string The crypted password @@ -1016,6 +1018,45 @@ function auth_cryptPassword($clear,$method='',$salt=null){ $hash1 = strtolower(md5($key . md5($clear))); $hash2 = substr($hash1, 0, 16) . $key . substr($hash1, 16); return $hash2; + case 'hmd5': + $key = 'H'; + // hmd5 is exactly the same as pmd5, but uses an H as identifier + // PhpBB3 uses it that way, so we just fall through here + case 'pmd5': + if(!$key) $key = 'P'; + $itoa64 = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz'; + $iterc = $salt[0]; // pos 0 of salt is iteration count + $iter = strpos($itoa64,$iterc); + $iter = 1 << $iter; + $salt = substr($salt,1,8); + + // iterate + $hash = md5($salt . $clear, true); + do { + $hash = md5($hash . $clear, true); + } while (--$iter); + + // encode + $output = ''; + $count = 16; + $i = 0; + do { + $value = ord($hash[$i++]); + $output .= $itoa64[$value & 0x3f]; + if ($i < $count) + $value |= ord($hash[$i]) << 8; + $output .= $itoa64[($value >> 6) & 0x3f]; + if ($i++ >= $count) + break; + if ($i < $count) + $value |= ord($hash[$i]) << 16; + $output .= $itoa64[($value >> 12) & 0x3f]; + if ($i++ >= $count) + break; + $output .= $itoa64[($value >> 18) & 0x3f]; + } while ($i < $count); + + return '$'.$key.'$'.$iterc.$salt.$output; default: msg("Unsupported crypt method $method",-1); } @@ -1043,6 +1084,12 @@ function auth_verifyPassword($clear,$crypt){ }elseif(preg_match('/^\$apr1\$([^\$]{0,8})\$/',$crypt,$m)){ $method = 'apr1'; $salt = $m[1]; + }elseif(preg_match('/^\$P\$(.{31})$/',$crypt,$m)){ + $method = 'pmd5'; + $salt = $m[1]; + }elseif(preg_match('/^\$H\$(.{31})$/',$crypt,$m)){ + $method = 'hmd5'; + $salt = $m[1]; }elseif(substr($crypt,0,6) == '{SSHA}'){ $method = 'ssha'; $salt = substr(base64_decode(substr($crypt, 6)),20); -- cgit v1.2.3 From b2665af72cdba76ca409b7e00e150746f2f83ced Mon Sep 17 00:00:00 2001 From: Michael Hamann Date: Mon, 27 Dec 2010 22:53:18 +0100 Subject: Handle renamed authorization variables Sometimes (when using rewriting with the workaround for CGI mode described at http://www.besthostratings.com/articles/http-auth-php-cgi.html) the HTTP_AUTHORIZATION variable is renamed, this change detects this renaming and uses the renamed variable. --- inc/auth.php | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'inc/auth.php') diff --git a/inc/auth.php b/inc/auth.php index 5cdcec830..38d1c925d 100644 --- a/inc/auth.php +++ b/inc/auth.php @@ -70,6 +70,12 @@ function auth_setup(){ $_REQUEST['http_credentials'] = false; if (!$conf['rememberme']) $_REQUEST['r'] = false; + // handle renamed HTTP_AUTHORIZATION variable (can happen when a fix like + // the one presented at + // http://www.besthostratings.com/articles/http-auth-php-cgi.html is used + // for enabling HTTP authentication with CGI/SuExec) + if(isset($_SERVER['REDIRECT_HTTP_AUTHORIZATION'])) + $_SERVER['HTTP_AUTHORIZATION'] = $_SERVER['REDIRECT_HTTP_AUTHORIZATION']; // streamline HTTP auth credentials (IIS/rewrite -> mod_php) if(isset($_SERVER['HTTP_AUTHORIZATION'])){ list($_SERVER['PHP_AUTH_USER'],$_SERVER['PHP_AUTH_PW']) = -- cgit v1.2.3 From 3a0a2d05635920b64626448302afb12c22bb6cf6 Mon Sep 17 00:00:00 2001 From: Andreas Gohr Date: Sat, 22 Jan 2011 21:52:30 +0100 Subject: refactored passowrd hashing functions to a class this splits the long auth_cryptPassword() function into many member functions of a new class PassHash which should make it more maintainable and reusable for other projects. This also adds two new methods djangomd5 and djangosha1 as used by the popular python framework Django. Maybe the auth_cryptPassword() and auth_verifyPassword() functions should be deprecated in favor of using the class directly? --- inc/auth.php | 181 ++++------------------------------------------------------- 1 file changed, 10 insertions(+), 171 deletions(-) (limited to 'inc/auth.php') diff --git a/inc/auth.php b/inc/auth.php index 38d1c925d..7449fd635 100644 --- a/inc/auth.php +++ b/inc/auth.php @@ -932,20 +932,6 @@ function act_resendpwd(){ * If the selected method needs a salt and none was given, a random one * is chosen. * - * The following methods are understood: - * - * smd5 - Salted MD5 hashing - * apr1 - Apache salted MD5 hashing - * md5 - Simple MD5 hashing - * sha1 - SHA1 hashing - * ssha - Salted SHA1 hashing - * crypt - Unix crypt - * mysql - MySQL password (old method) - * my411 - MySQL 4.1.1 password - * kmd5 - Salted MD5 hashing as used by UNB - * pmd5 - Salted multi iteration MD5 as used by Wordpress - * hmd5 - Same as pmd5 but PhpBB3 flavour - * * @author Andreas Gohr * @return string The crypted password */ @@ -953,173 +939,26 @@ function auth_cryptPassword($clear,$method='',$salt=null){ global $conf; if(empty($method)) $method = $conf['passcrypt']; - //prepare a salt - if(is_null($salt)) $salt = md5(uniqid(rand(), true)); - - switch(strtolower($method)){ - case 'smd5': - if(defined('CRYPT_MD5') && CRYPT_MD5) return crypt($clear,'$1$'.substr($salt,0,8).'$'); - // when crypt can't handle SMD5, falls through to pure PHP implementation - $magic = '1'; - case 'apr1': - //from http://de.php.net/manual/en/function.crypt.php#73619 comment by - if(!isset($magic)) $magic = 'apr1'; - $salt = substr($salt,0,8); - $len = strlen($clear); - $text = $clear.'$'.$magic.'$'.$salt; - $bin = pack("H32", md5($clear.$salt.$clear)); - for($i = $len; $i > 0; $i -= 16) { - $text .= substr($bin, 0, min(16, $i)); - } - for($i = $len; $i > 0; $i >>= 1) { - $text .= ($i & 1) ? chr(0) : $clear{0}; - } - $bin = pack("H32", md5($text)); - for($i = 0; $i < 1000; $i++) { - $new = ($i & 1) ? $clear : $bin; - if ($i % 3) $new .= $salt; - if ($i % 7) $new .= $clear; - $new .= ($i & 1) ? $bin : $clear; - $bin = pack("H32", md5($new)); - } - $tmp = ''; - for ($i = 0; $i < 5; $i++) { - $k = $i + 6; - $j = $i + 12; - if ($j == 16) $j = 5; - $tmp = $bin[$i].$bin[$k].$bin[$j].$tmp; - } - $tmp = chr(0).chr(0).$bin[11].$tmp; - $tmp = strtr(strrev(substr(base64_encode($tmp), 2)), - "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/", - "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"); - return '$'.$magic.'$'.$salt.'$'.$tmp; - case 'md5': - return md5($clear); - case 'sha1': - return sha1($clear); - case 'ssha': - $salt=substr($salt,0,4); - return '{SSHA}'.base64_encode(pack("H*", sha1($clear.$salt)).$salt); - case 'crypt': - return crypt($clear,substr($salt,0,2)); - case 'mysql': - //from http://www.php.net/mysql comment by - $nr=0x50305735; - $nr2=0x12345671; - $add=7; - $charArr = preg_split("//", $clear); - foreach ($charArr as $char) { - if (($char == '') || ($char == ' ') || ($char == '\t')) continue; - $charVal = ord($char); - $nr ^= ((($nr & 63) + $add) * $charVal) + ($nr << 8); - $nr2 += ($nr2 << 8) ^ $nr; - $add += $charVal; - } - return sprintf("%08x%08x", ($nr & 0x7fffffff), ($nr2 & 0x7fffffff)); - case 'my411': - return '*'.sha1(pack("H*", sha1($clear))); - case 'kmd5': - $key = substr($salt, 16, 2); - $hash1 = strtolower(md5($key . md5($clear))); - $hash2 = substr($hash1, 0, 16) . $key . substr($hash1, 16); - return $hash2; - case 'hmd5': - $key = 'H'; - // hmd5 is exactly the same as pmd5, but uses an H as identifier - // PhpBB3 uses it that way, so we just fall through here - case 'pmd5': - if(!$key) $key = 'P'; - $itoa64 = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz'; - $iterc = $salt[0]; // pos 0 of salt is iteration count - $iter = strpos($itoa64,$iterc); - $iter = 1 << $iter; - $salt = substr($salt,1,8); - - // iterate - $hash = md5($salt . $clear, true); - do { - $hash = md5($hash . $clear, true); - } while (--$iter); - - // encode - $output = ''; - $count = 16; - $i = 0; - do { - $value = ord($hash[$i++]); - $output .= $itoa64[$value & 0x3f]; - if ($i < $count) - $value |= ord($hash[$i]) << 8; - $output .= $itoa64[($value >> 6) & 0x3f]; - if ($i++ >= $count) - break; - if ($i < $count) - $value |= ord($hash[$i]) << 16; - $output .= $itoa64[($value >> 12) & 0x3f]; - if ($i++ >= $count) - break; - $output .= $itoa64[($value >> 18) & 0x3f]; - } while ($i < $count); - - return '$'.$key.'$'.$iterc.$salt.$output; - default: - msg("Unsupported crypt method $method",-1); + $pass = new PassHash(); + $call = 'hash_'.$method; + + if(!method_exists($pass,$call)){ + msg("Unsupported crypt method $method",-1); + return false; } + + return $pass->$call($clear,$salt); } /** * Verifies a cleartext password against a crypted hash * - * The method and salt used for the crypted hash is determined automatically - * then the clear text password is crypted using the same method. If both hashs - * match true is is returned else false - * * @author Andreas Gohr * @return bool */ function auth_verifyPassword($clear,$crypt){ - $method=''; - $salt=''; - - //determine the used method and salt - $len = strlen($crypt); - if(preg_match('/^\$1\$([^\$]{0,8})\$/',$crypt,$m)){ - $method = 'smd5'; - $salt = $m[1]; - }elseif(preg_match('/^\$apr1\$([^\$]{0,8})\$/',$crypt,$m)){ - $method = 'apr1'; - $salt = $m[1]; - }elseif(preg_match('/^\$P\$(.{31})$/',$crypt,$m)){ - $method = 'pmd5'; - $salt = $m[1]; - }elseif(preg_match('/^\$H\$(.{31})$/',$crypt,$m)){ - $method = 'hmd5'; - $salt = $m[1]; - }elseif(substr($crypt,0,6) == '{SSHA}'){ - $method = 'ssha'; - $salt = substr(base64_decode(substr($crypt, 6)),20); - }elseif($len == 32){ - $method = 'md5'; - }elseif($len == 40){ - $method = 'sha1'; - }elseif($len == 16){ - $method = 'mysql'; - }elseif($len == 41 && $crypt[0] == '*'){ - $method = 'my411'; - }elseif($len == 34){ - $method = 'kmd5'; - $salt = $crypt; - }else{ - $method = 'crypt'; - $salt = substr($crypt,0,2); - } - - //crypt and compare - if(auth_cryptPassword($clear,$method,$salt) === $crypt){ - return true; - } - return false; + $pass = new PassHash(); + return $pass->verify_hash($clear,$crypt); } /** -- cgit v1.2.3 From 3a48618a538412994ec244d5a9fde5c4a6161d10 Mon Sep 17 00:00:00 2001 From: Anika Henke Date: Tue, 22 Feb 2011 23:04:53 +0000 Subject: improved actionOK and its use --- inc/auth.php | 13 +++---------- 1 file changed, 3 insertions(+), 10 deletions(-) (limited to 'inc/auth.php') diff --git a/inc/auth.php b/inc/auth.php index 7449fd635..164ad3df9 100644 --- a/inc/auth.php +++ b/inc/auth.php @@ -686,9 +686,8 @@ function register(){ global $conf; global $auth; - if (!$auth) return false; if(!$_POST['save']) return false; - if(!$auth->canDo('addUser')) return false; + if(!actionOK('register')) return false; //clean username $_POST['login'] = trim($auth->cleanUser($_POST['login'])); @@ -764,12 +763,10 @@ function updateprofile() { global $lang; global $auth; - if (!$auth) return false; if(empty($_POST['save'])) return false; if(!checkSecurityToken()) return false; - // should not be able to get here without Profile being possible... - if(!$auth->canDo('Profile')) { + if(!actionOK('profile')) { msg($lang['profna'],-1); return false; } @@ -840,11 +837,7 @@ function act_resendpwd(){ global $conf; global $auth; - if(!actionOK('resendpwd')) return false; - if (!$auth) return false; - - // should not be able to get here without modPass being possible... - if(!$auth->canDo('modPass')) { + if(!actionOK('resendpwd')) { msg($lang['resendna'],-1); return false; } -- cgit v1.2.3 From 234ce57eac492a1f07414d42c0c406666f3fa887 Mon Sep 17 00:00:00 2001 From: Andreas Gohr Date: Sat, 19 Mar 2011 15:32:14 +0100 Subject: store session pass as hash This avoids having the blowfish encrypted pass stored together with the decryption key on the same server. --- inc/auth.php | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'inc/auth.php') diff --git a/inc/auth.php b/inc/auth.php index 164ad3df9..85c8cfd7b 100644 --- a/inc/auth.php +++ b/inc/auth.php @@ -209,8 +209,9 @@ function auth_login($user,$pass,$sticky=false,$silent=false){ $auth->useSessionCache($user) && ($session['time'] >= time()-$conf['auth_security_timeout']) && ($session['user'] == $user) && - ($session['pass'] == $pass) && //still crypted + ($session['pass'] == sha1($pass)) && //still crypted ($session['buid'] == auth_browseruid()) ){ + // he has session, cookie and browser right - let him in $_SERVER['REMOTE_USER'] = $user; $USERINFO = $session['info']; //FIXME move all references to session @@ -979,7 +980,7 @@ function auth_setCookie($user,$pass,$sticky) { } // set session $_SESSION[DOKU_COOKIE]['auth']['user'] = $user; - $_SESSION[DOKU_COOKIE]['auth']['pass'] = $pass; + $_SESSION[DOKU_COOKIE]['auth']['pass'] = sha1($pass); $_SESSION[DOKU_COOKIE]['auth']['buid'] = auth_browseruid(); $_SESSION[DOKU_COOKIE]['auth']['info'] = $USERINFO; $_SESSION[DOKU_COOKIE]['auth']['time'] = time(); -- cgit v1.2.3 From e940aea40842bfcf6db8c09bba3135cb9cb5eef9 Mon Sep 17 00:00:00 2001 From: Andreas Gohr Date: Sat, 19 Mar 2011 19:21:52 +0100 Subject: bind non-sticky logins to the session id FS#2202 --- inc/auth.php | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) (limited to 'inc/auth.php') diff --git a/inc/auth.php b/inc/auth.php index 85c8cfd7b..53376be34 100644 --- a/inc/auth.php +++ b/inc/auth.php @@ -189,7 +189,9 @@ function auth_login($user,$pass,$sticky=false,$silent=false){ if ($auth->checkPass($user,$pass)){ // make logininfo globally available $_SERVER['REMOTE_USER'] = $user; - auth_setCookie($user,PMA_blowfish_encrypt($pass,auth_cookiesalt()),$sticky); + $secret = auth_cookiesalt(); + if(!$sticky) $secret .= session_id; //bind non-sticky to session + auth_setCookie($user,PMA_blowfish_encrypt($pass,$secret),$sticky); return true; }else{ //invalid credentials - log off @@ -218,7 +220,9 @@ function auth_login($user,$pass,$sticky=false,$silent=false){ return true; } // no we don't trust it yet - recheck pass but silent - $pass = PMA_blowfish_decrypt($pass,auth_cookiesalt()); + $secret = auth_cookiesalt(); + if(!$sticky) $secret .= session_id(); //bind non-sticky to session + $pass = PMA_blowfish_decrypt($pass,$secret); return auth_login($user,$pass,$sticky,true); } } -- cgit v1.2.3