From a4ce95c84dca904abb57d30efa2a9d5d68eeda1b Mon Sep 17 00:00:00 2001 From: Dominik Eckelmann Date: Wed, 20 Feb 2013 10:44:25 +0100 Subject: fixed auth_browseruid on IE9 IE9 send different HTTP_ACCEPT_LANGUAGE header on ajax request. This causes different results from auth_browseruid. This patch removes the HTTP_ACCEPT_LANGUAGE from the browser id calculation. --- inc/auth.php | 1 - 1 file changed, 1 deletion(-) (limited to 'inc/auth.php') diff --git a/inc/auth.php b/inc/auth.php index 9566a2615..d82b8b5dd 100644 --- a/inc/auth.php +++ b/inc/auth.php @@ -311,7 +311,6 @@ function auth_browseruid() { $uid = ''; $uid .= $_SERVER['HTTP_USER_AGENT']; $uid .= $_SERVER['HTTP_ACCEPT_ENCODING']; - $uid .= $_SERVER['HTTP_ACCEPT_LANGUAGE']; $uid .= $_SERVER['HTTP_ACCEPT_CHARSET']; $uid .= substr($ip, 0, strpos($ip, '.')); $uid = strtolower($uid); -- cgit v1.2.3 From 6416b708d3d115a6d7529b6c388c796fcb651d55 Mon Sep 17 00:00:00 2001 From: Michael Hamann Date: Wed, 20 Feb 2013 19:43:29 +0100 Subject: Fix handling of failed authentication loading In the case of a failed authentication initialization, the authentication setup was simply continued with an unset $auth object. This restores the previous behavior (before merging #141) of simply returning after unsetting $auth. Furthermore this re-introduces the check if $auth is set before checking $auth and removes a useless check if $auth is true (could never be false). --- inc/auth.php | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'inc/auth.php') diff --git a/inc/auth.php b/inc/auth.php index d82b8b5dd..92a56e163 100644 --- a/inc/auth.php +++ b/inc/auth.php @@ -54,16 +54,17 @@ function auth_setup() { } } - if(!$auth){ + if(!isset($auth) || !$auth){ msg($lang['authtempfail'], -1); return false; } - if ($auth && $auth->success == false) { + if ($auth->success == false) { // degrade to unauthenticated user unset($auth); auth_logoff(); msg($lang['authtempfail'], -1); + return false; } // do the login either by cookie or provided credentials XXX -- cgit v1.2.3 From 00d58927261c5bed6f093ca4aa2064a18139a228 Mon Sep 17 00:00:00 2001 From: Michael Hamann Date: Wed, 20 Feb 2013 20:26:05 +0100 Subject: Fix remaining missing $INPUT uses FS#2577 This adds $INPUT in all places where it was still missing and available. $INPUT is now also used in places where using $_REQUEST/... was okay in order to make the code consistent. --- inc/auth.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'inc/auth.php') diff --git a/inc/auth.php b/inc/auth.php index 92a56e163..68b6b438d 100644 --- a/inc/auth.php +++ b/inc/auth.php @@ -92,7 +92,7 @@ function auth_setup() { // apply cleaning if (true === $auth->success) { - $_REQUEST['u'] = $auth->cleanUser($_REQUEST['u']); + $INPUT->set('u', $auth->cleanUser($INPUT->str('u'))); } if($INPUT->str('authtok')) { -- cgit v1.2.3 From e71b0ef705b86bb653fcae43e6845acbe6fd7fd2 Mon Sep 17 00:00:00 2001 From: Guy Brand Date: Sun, 17 Mar 2013 19:22:37 +0100 Subject: backward compatibility for old authtype settings --- inc/auth.php | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) (limited to 'inc/auth.php') diff --git a/inc/auth.php b/inc/auth.php index 68b6b438d..0713ca6af 100644 --- a/inc/auth.php +++ b/inc/auth.php @@ -48,10 +48,15 @@ function auth_setup() { // try to load auth backend from plugins foreach ($plugin_controller->getList('auth') as $plugin) { - if ($conf['authtype'] === $plugin) { - $auth = $plugin_controller->load('auth', $plugin); - break; - } + if ($conf['authtype'] === $plugin) { + $auth = $plugin_controller->load('auth', $plugin); + break; + } elseif ('auth' . $conf['authtype'] === $plugin) { + // matches old auth backends (pre-Weatherwax) + $auth = $plugin_controller->load('auth', $plugin); + msg('Your authtype setting is deprecated. You must set $conf[\'authconfig\'] = ' . "auth" . $conf['authtype'] + . ' in your config (see Authentication Backends)',-1); + } } if(!isset($auth) || !$auth){ -- cgit v1.2.3 From 0b2e0a720d550ed8e96ffcdc62cbbffe78d27c21 Mon Sep 17 00:00:00 2001 From: Christopher Smith Date: Mon, 1 Apr 2013 17:03:25 +0100 Subject: restrict 'authtype deprecated' alert to superusers only --- inc/auth.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'inc/auth.php') diff --git a/inc/auth.php b/inc/auth.php index 0713ca6af..9f180fc94 100644 --- a/inc/auth.php +++ b/inc/auth.php @@ -55,7 +55,7 @@ function auth_setup() { // matches old auth backends (pre-Weatherwax) $auth = $plugin_controller->load('auth', $plugin); msg('Your authtype setting is deprecated. You must set $conf[\'authconfig\'] = ' . "auth" . $conf['authtype'] - . ' in your config (see Authentication Backends)',-1); + . ' in your config (see Authentication Backends)',-1,'','',MSG_ADMINS_ONLY); } } -- cgit v1.2.3 From 98e31f853f43d94c5bd1d3ab79388c44ce29ce0a Mon Sep 17 00:00:00 2001 From: Klap-in Date: Wed, 15 May 2013 16:51:44 +0200 Subject: Fix wrong config key in deprecated auth message --- inc/auth.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'inc/auth.php') diff --git a/inc/auth.php b/inc/auth.php index 9f180fc94..3f1f7925b 100644 --- a/inc/auth.php +++ b/inc/auth.php @@ -54,8 +54,8 @@ function auth_setup() { } elseif ('auth' . $conf['authtype'] === $plugin) { // matches old auth backends (pre-Weatherwax) $auth = $plugin_controller->load('auth', $plugin); - msg('Your authtype setting is deprecated. You must set $conf[\'authconfig\'] = ' . "auth" . $conf['authtype'] - . ' in your config (see Authentication Backends)',-1,'','',MSG_ADMINS_ONLY); + msg('Your authtype setting is deprecated. You must set $conf[\'authtype\'] = ' . "auth" . $conf['authtype'] + . ' in your configuration (see Authentication Backends)',-1,'','',MSG_ADMINS_ONLY); } } -- cgit v1.2.3 From a91f1103e66d9f28375fc94de05ebbcde454950d Mon Sep 17 00:00:00 2001 From: Anika Henke Date: Mon, 27 May 2013 16:39:54 +0100 Subject: fixed wrong use of quotes in authtype warning message --- inc/auth.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'inc/auth.php') diff --git a/inc/auth.php b/inc/auth.php index 3f1f7925b..af9f35b38 100644 --- a/inc/auth.php +++ b/inc/auth.php @@ -54,7 +54,7 @@ function auth_setup() { } elseif ('auth' . $conf['authtype'] === $plugin) { // matches old auth backends (pre-Weatherwax) $auth = $plugin_controller->load('auth', $plugin); - msg('Your authtype setting is deprecated. You must set $conf[\'authtype\'] = ' . "auth" . $conf['authtype'] + msg('Your authtype setting is deprecated. You must set $conf[\'authtype\'] = "auth' . $conf['authtype'] . '"' . ' in your configuration (see Authentication Backends)',-1,'','',MSG_ADMINS_ONLY); } } -- cgit v1.2.3 From 8fcfc7abfd65ccd920753bee341c6bfdebcecd99 Mon Sep 17 00:00:00 2001 From: Andreas Gohr Date: Fri, 31 May 2013 09:29:08 +0200 Subject: use HMAC in password reset token FS#2794 --- inc/auth.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'inc/auth.php') diff --git a/inc/auth.php b/inc/auth.php index af9f35b38..dac67bcb7 100644 --- a/inc/auth.php +++ b/inc/auth.php @@ -993,7 +993,7 @@ function act_resendpwd() { } // generate auth token - $token = md5(auth_cookiesalt().$user); //secret but user based + $token = PassHash::hmac('md5', $user, auth_cookiesalt()); //secret but user based $tfile = $conf['cachedir'].'/'.$token{0}.'/'.$token.'.pwauth'; $url = wl('', array('do'=> 'resendpwd', 'pwauth'=> $token), true, '&'); -- cgit v1.2.3 From 183a7b8845875e4a6b67e466cfff9f5163da3f17 Mon Sep 17 00:00:00 2001 From: Andreas Gohr Date: Fri, 31 May 2013 14:43:31 +0200 Subject: make password reset token completely random No need for HMAC here because there's no length attack vector here. We only care for the existance of the file and each reset request is completely (random) independent from each other. --- inc/auth.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'inc/auth.php') diff --git a/inc/auth.php b/inc/auth.php index dac67bcb7..1f8489f03 100644 --- a/inc/auth.php +++ b/inc/auth.php @@ -993,7 +993,7 @@ function act_resendpwd() { } // generate auth token - $token = PassHash::hmac('md5', $user, auth_cookiesalt()); //secret but user based + $token = md5(uniqid(mt_rand(), true)); // random secret $tfile = $conf['cachedir'].'/'.$token{0}.'/'.$token.'.pwauth'; $url = wl('', array('do'=> 'resendpwd', 'pwauth'=> $token), true, '&'); -- cgit v1.2.3 From 8a285f7fa7f09ae969e12cf4b7bda0f5123bb0fb Mon Sep 17 00:00:00 2001 From: Andreas Gohr Date: Sun, 9 Jun 2013 02:29:27 +0200 Subject: AUTH_PASSWORD_GENERATE event added This is needed to replace the password generator by a plugin implementation. Related to PR #166 and FS#2147 --- inc/auth.php | 45 +++++++++++++++++++++++++++++---------------- 1 file changed, 29 insertions(+), 16 deletions(-) (limited to 'inc/auth.php') diff --git a/inc/auth.php b/inc/auth.php index 1f8489f03..82a6b46cd 100644 --- a/inc/auth.php +++ b/inc/auth.php @@ -678,27 +678,40 @@ function auth_nameencode($name, $skip_group = false) { /** * Create a pronouncable password * + * The $foruser variable might be used by plugins to run additional password + * policy checks, but is not used by the default implementation + * * @author Andreas Gohr * @link http://www.phpbuilder.com/annotate/message.php3?id=1014451 + * @triggers AUTH_PASSWORD_GENERATE * + * @param string $foruser username for which the password is generated * @return string pronouncable password */ -function auth_pwgen() { - $pw = ''; - $c = 'bcdfghjklmnprstvwz'; //consonants except hard to speak ones - $v = 'aeiou'; //vowels - $a = $c.$v; //both - - //use two syllables... - for($i = 0; $i < 2; $i++) { - $pw .= $c[rand(0, strlen($c) - 1)]; - $pw .= $v[rand(0, strlen($v) - 1)]; - $pw .= $a[rand(0, strlen($a) - 1)]; +function auth_pwgen($foruser='') { + $data = array( + 'password' = '', + 'foruser' = $foruser + ); + + $evt = new Doku_Event('AUTH_PASSWORD_GENERATE', $data); + if($evt->advise_before(true)) { + $c = 'bcdfghjklmnprstvwz'; //consonants except hard to speak ones + $v = 'aeiou'; //vowels + $a = $c.$v; //both + + //use two syllables... + for($i = 0; $i < 2; $i++) { + $data['password'] .= $c[rand(0, strlen($c) - 1)]; + $data['password'] .= $v[rand(0, strlen($v) - 1)]; + $data['password'] .= $a[rand(0, strlen($a) - 1)]; + } + //... and add a nice number + $data['password'] .= rand(10, 99); } - //... and add a nice number - $pw .= rand(10, 99); + $evt->advise_after(); - return $pw; + return $data['password']; } /** @@ -765,7 +778,7 @@ function register() { } if($conf['autopasswd']) { - $pass = auth_pwgen(); // automatically generate password + $pass = auth_pwgen($login); // automatically generate password } elseif(empty($pass) || empty($passchk)) { msg($lang['regmissing'], -1); // complain about missing passwords return false; @@ -958,7 +971,7 @@ function act_resendpwd() { } else { // autogenerate the password and send by mail - $pass = auth_pwgen(); + $pass = auth_pwgen($user); if(!$auth->triggerUserMod('modify', array($user, array('pass' => $pass)))) { msg('error modifying user data', -1); return false; -- cgit v1.2.3 From d628dcf33c131b3ede5c78b4550c2ba23124f432 Mon Sep 17 00:00:00 2001 From: Andreas Gohr Date: Sun, 9 Jun 2013 02:51:19 +0200 Subject: fixed syntax fuckup --- inc/auth.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'inc/auth.php') diff --git a/inc/auth.php b/inc/auth.php index 82a6b46cd..db6245e20 100644 --- a/inc/auth.php +++ b/inc/auth.php @@ -690,8 +690,8 @@ function auth_nameencode($name, $skip_group = false) { */ function auth_pwgen($foruser='') { $data = array( - 'password' = '', - 'foruser' = $foruser + 'password' => '', + 'foruser' => $foruser ); $evt = new Doku_Event('AUTH_PASSWORD_GENERATE', $data); -- cgit v1.2.3 From 987c8d26bbfec753f50b50e8f16e0f5579a93e11 Mon Sep 17 00:00:00 2001 From: Andreas Gohr Date: Fri, 14 Jun 2013 14:49:39 +0200 Subject: Increased strength of auto generated passwords a bit If you want better random initialization and more control over the password strength install the passpolicy plugin. --- inc/auth.php | 29 +++++++++++++++-------------- 1 file changed, 15 insertions(+), 14 deletions(-) (limited to 'inc/auth.php') diff --git a/inc/auth.php b/inc/auth.php index db6245e20..6107645cd 100644 --- a/inc/auth.php +++ b/inc/auth.php @@ -681,14 +681,14 @@ function auth_nameencode($name, $skip_group = false) { * The $foruser variable might be used by plugins to run additional password * policy checks, but is not used by the default implementation * - * @author Andreas Gohr - * @link http://www.phpbuilder.com/annotate/message.php3?id=1014451 + * @author Andreas Gohr + * @link http://www.phpbuilder.com/annotate/message.php3?id=1014451 * @triggers AUTH_PASSWORD_GENERATE * * @param string $foruser username for which the password is generated * @return string pronouncable password */ -function auth_pwgen($foruser='') { +function auth_pwgen($foruser = '') { $data = array( 'password' => '', 'foruser' => $foruser @@ -696,18 +696,19 @@ function auth_pwgen($foruser='') { $evt = new Doku_Event('AUTH_PASSWORD_GENERATE', $data); if($evt->advise_before(true)) { - $c = 'bcdfghjklmnprstvwz'; //consonants except hard to speak ones - $v = 'aeiou'; //vowels - $a = $c.$v; //both - - //use two syllables... - for($i = 0; $i < 2; $i++) { - $data['password'] .= $c[rand(0, strlen($c) - 1)]; - $data['password'] .= $v[rand(0, strlen($v) - 1)]; - $data['password'] .= $a[rand(0, strlen($a) - 1)]; + $c = 'bcdfghjklmnprstvwz'; //consonants except hard to speak ones + $v = 'aeiou'; //vowels + $a = $c.$v; //both + $s = '!$%&?+*~#-_:.;,'; // specials + + //use thre syllables... + for($i = 0; $i < 3; $i++) { + $data['password'] .= $c[mt_rand(0, strlen($c) - 1)]; + $data['password'] .= $v[mt_rand(0, strlen($v) - 1)]; + $data['password'] .= $a[mt_rand(0, strlen($a) - 1)]; } - //... and add a nice number - $data['password'] .= rand(10, 99); + //... and add a nice number and special + $data['password'] .= mt_rand(10, 99).$s[mt_rand(0, strlen($s) - 1)]; } $evt->advise_after(); -- cgit v1.2.3 From ea2272c40a77ba38305773f8f3e3172bb71e9f49 Mon Sep 17 00:00:00 2001 From: Andreas Gohr Date: Sun, 16 Jun 2013 21:57:42 +0200 Subject: removed tabs --- inc/auth.php | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) (limited to 'inc/auth.php') diff --git a/inc/auth.php b/inc/auth.php index 6107645cd..47b29eff7 100644 --- a/inc/auth.php +++ b/inc/auth.php @@ -59,18 +59,18 @@ function auth_setup() { } } - if(!isset($auth) || !$auth){ + if(!isset($auth) || !$auth){ msg($lang['authtempfail'], -1); return false; } if ($auth->success == false) { - // degrade to unauthenticated user - unset($auth); - auth_logoff(); - msg($lang['authtempfail'], -1); + // degrade to unauthenticated user + unset($auth); + auth_logoff(); + msg($lang['authtempfail'], -1); return false; - } + } // do the login either by cookie or provided credentials XXX $INPUT->set('http_credentials', false); -- cgit v1.2.3