From e3776c06c37cc197709dac60892604dfea894ac2 Mon Sep 17 00:00:00 2001 From: Michael Hamann Date: Mon, 29 Nov 2010 01:34:36 +0100 Subject: Remove enc=utf-8 in VIM modeline as it is not allowed in VIM 7.3 As of VIM 7.3 it is no longer possible to specify the encoding in the modeline. This gives an error message whenever such a file is opened, thus this commit removes the enc setting from the modeline. --- inc/auth.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'inc/auth.php') diff --git a/inc/auth.php b/inc/auth.php index a2844a732..6bc4f8673 100644 --- a/inc/auth.php +++ b/inc/auth.php @@ -1117,4 +1117,4 @@ function auth_getCookie(){ return array($user,$sticky,$pass); } -//Setup VIM: ex: et ts=2 enc=utf-8 : +//Setup VIM: ex: et ts=2 : -- cgit v1.2.3 From fa7c70ff4d7f9999466436e7d559eb0c81571779 Mon Sep 17 00:00:00 2001 From: Adrian Lang Date: Wed, 8 Dec 2010 17:17:40 +0100 Subject: tmp --- inc/auth.php | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'inc/auth.php') diff --git a/inc/auth.php b/inc/auth.php index 6bc4f8673..f2de4424e 100644 --- a/inc/auth.php +++ b/inc/auth.php @@ -194,10 +194,11 @@ function auth_login($user,$pass,$sticky=false,$silent=false){ }else{ // read cookie information list($user,$sticky,$pass) = auth_getCookie(); - // get session info - $session = $_SESSION[DOKU_COOKIE]['auth']; if($user && $pass){ // we got a cookie - see if we can trust it + + // get session info + $session = $_SESSION[DOKU_COOKIE]['auth']; if(isset($session) && $auth->useSessionCache($user) && ($session['time'] >= time()-$conf['auth_security_timeout']) && -- cgit v1.2.3 From d6dc956f8c13064c5e638d5ba817123f66261cfe Mon Sep 17 00:00:00 2001 From: Andreas Gohr Date: Wed, 8 Dec 2010 23:41:59 +0100 Subject: added auth_isMember() This function abstracts checking a given user and her groups against a given member list (as used in the superuser and manager options). It is also used in auth_isManager() and auth_isAdmin(), unlike the previous function, this one skips the nameencode step as it should be unnessary here (all input is given decoded). The test cases where extended by some non-ID user and group names. People with non-plain auth backends should check that their administrator and manager setups still work as expected --- inc/auth.php | 106 +++++++++++++++++++++++++++++------------------------------ 1 file changed, 52 insertions(+), 54 deletions(-) (limited to 'inc/auth.php') diff --git a/inc/auth.php b/inc/auth.php index 6bc4f8673..c455fac0c 100644 --- a/inc/auth.php +++ b/inc/auth.php @@ -371,63 +371,15 @@ function auth_ismanager($user=null,$groups=null,$adminonly=false){ $user = $_SERVER['REMOTE_USER']; } } - $user = trim($auth->cleanUser($user)); - if($user === '') return false; - if(is_null($groups)) $groups = (array) $USERINFO['grps']; - $groups = array_map(array($auth,'cleanGroup'),$groups); - $user = auth_nameencode($user); - - // check username against superuser and manager - $superusers = explode(',', $conf['superuser']); - $superusers = array_unique($superusers); - $superusers = array_map('trim', $superusers); - $superusers = array_filter($superusers); - // prepare an array containing only true values for array_map call - $alltrue = array_fill(0, count($superusers), true); - $superusers = array_map('auth_nameencode', $superusers, $alltrue); - - // case insensitive? - if(!$auth->isCaseSensitive()){ - $superusers = array_map('utf8_strtolower',$superusers); - $user = utf8_strtolower($user); + if(is_null($groups)){ + $groups = (array) $USERINFO['grps']; } - // check user match - if(in_array($user, $superusers)) return true; - + // check superuser match + if(auth_isMember($conf['superuser'],$user, $groups)) return true; + if($adminonly) return false; // check managers - if(!$adminonly){ - $managers = explode(',', $conf['manager']); - $managers = array_unique($managers); - $managers = array_map('trim', $managers); - $managers = array_filter($managers); - // prepare an array containing only true values for array_map call - $alltrue = array_fill(0, count($managers), true); - $managers = array_map('auth_nameencode', $managers, $alltrue); - if(!$auth->isCaseSensitive()) $managers = array_map('utf8_strtolower',$managers); - if(in_array($user, $managers)) return true; - } - - // check user's groups against superuser and manager - if (!empty($groups)) { - - //prepend groups with @ and nameencode - $cnt = count($groups); - for($i=0; $i<$cnt; $i++){ - $groups[$i] = '@'.auth_nameencode($groups[$i]); - if(!$auth->isCaseSensitive()){ - $groups[$i] = utf8_strtolower($groups[$i]); - } - } - - // check groups against superuser and manager - foreach($superusers as $supu) - if(in_array($supu, $groups)) return true; - if(!$adminonly){ - foreach($managers as $mana) - if(in_array($mana, $groups)) return true; - } - } + if(auth_isMember($conf['manager'],$user, $groups)) return true; return false; } @@ -446,6 +398,52 @@ function auth_isadmin($user=null,$groups=null){ return auth_ismanager($user,$groups,true); } + +/** + * Match a user and his groups against a comma separated list of + * users and groups to determine membership status + * + * Note: all input should NOT be nameencoded. + * + * @param $memberlist string commaseparated list of allowed users and groups + * @param $user string user to match against + * @param $groups array groups the user is member of + * @returns bool true for membership acknowledged + */ +function auth_isMember($memberlist,$user,array $groups){ + global $auth; + if (!$auth) return false; + + // clean user and groups + if($auth->isCaseSensitive()){ + $user = utf8_strtolower($user); + $groups = array_map('utf8_strtolower',$groups); + } + $user = $auth->cleanUser($user); + $groups = array_map(array($auth,'cleanGroup'),$groups); + + // extract the memberlist + $members = explode(',',$memberlist); + $members = array_map('trim',$members); + $members = array_unique($members); + $members = array_filter($members); + + // compare cleaned values + foreach($members as $member){ + if($auth->isCaseSensitive()) $member = utf8_strtolower($member); + if($member[0] == '@'){ + $member = $auth->cleanGroup(substr($member,1)); + if(in_array($member, $groups)) return true; + }else{ + $member = $auth->cleanUser($member); + if($member == $user) return true; + } + } + + // still here? not a member! + return false; +} + /** * Convinience function for auth_aclcheck() * -- cgit v1.2.3 From 3e304b55d99607a2d4586c7a4f0219736d995478 Mon Sep 17 00:00:00 2001 From: Michael Hamann Date: Sat, 11 Dec 2010 00:08:51 +0100 Subject: preg_quote namespaces in auth_aclcheck Like ids namespaces are now preg_quoted in the acl check (and therefore the escaping of "*" has been removed). When plugins call the ACL check function with strange ids the regex fails otherwise (in the case of the include plugin errors like "Warning: preg_grep() [function.preg-grep]: Compilation failed: missing terminating ] for character class at offset 47" have been reported by two users). I've run the acl tests after this change and everything passes so this shouldn't break anything but please test this especially with protected wikis as this change modifies the code that handles namespace permissions. Furthermore permissions for a namespace foobar are no longer applied to namespaces with names like foo.ar, I hope nobody has used that "feature". When you are using per-user namespaces, user registration is open and either write or read protection for these namespaces is important to you this is a security fix for you: When someone wants to get access to the namespace of a user "foo.bar" he can register as "fooxbar" (where "x" is an arbitrary character) and will have access to the user namespace of the user "foo.bar" as when a page in "foo.bar" is checked it will match the rule for "fooxbar". --- inc/auth.php | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) (limited to 'inc/auth.php') diff --git a/inc/auth.php b/inc/auth.php index c455fac0c..fd2a9c66d 100644 --- a/inc/auth.php +++ b/inc/auth.php @@ -534,13 +534,13 @@ function auth_aclcheck($id,$user,$groups){ //still here? do the namespace checks if($ns){ - $path = $ns.':\*'; + $path = $ns.':*'; }else{ - $path = '\*'; //root document + $path = '*'; //root document } do{ - $matches = preg_grep('/^'.$path.'\s+('.$regexp.')\s+/'.$ci,$AUTH_ACL); + $matches = preg_grep('/^'.preg_quote($path,'/').'\s+('.$regexp.')\s+/'.$ci,$AUTH_ACL); if(count($matches)){ foreach($matches as $match){ $match = preg_replace('/#.*$/','',$match); //ignore comments @@ -557,9 +557,9 @@ function auth_aclcheck($id,$user,$groups){ //get next higher namespace $ns = getNS($ns); - if($path != '\*'){ - $path = $ns.':\*'; - if($path == ':\*') $path = '\*'; + if($path != '*'){ + $path = $ns.':*'; + if($path == ':*') $path = '*'; }else{ //we did this already //looks like there is something wrong with the ACL -- cgit v1.2.3 From 4f56ecbf9229ff893b58cf34012a9646a06f91c0 Mon Sep 17 00:00:00 2001 From: Adrian Lang Date: Tue, 21 Dec 2010 13:20:10 +0100 Subject: Fix handling of case in auth_isMember; add and fix test cases --- inc/auth.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'inc/auth.php') diff --git a/inc/auth.php b/inc/auth.php index fd2a9c66d..b3c20e6b9 100644 --- a/inc/auth.php +++ b/inc/auth.php @@ -415,7 +415,7 @@ function auth_isMember($memberlist,$user,array $groups){ if (!$auth) return false; // clean user and groups - if($auth->isCaseSensitive()){ + if(!$auth->isCaseSensitive()){ $user = utf8_strtolower($user); $groups = array_map('utf8_strtolower',$groups); } @@ -430,7 +430,7 @@ function auth_isMember($memberlist,$user,array $groups){ // compare cleaned values foreach($members as $member){ - if($auth->isCaseSensitive()) $member = utf8_strtolower($member); + if(!$auth->isCaseSensitive()) $member = utf8_strtolower($member); if($member[0] == '@'){ $member = $auth->cleanGroup(substr($member,1)); if(in_array($member, $groups)) return true; -- cgit v1.2.3 From f91977c212fd1c1645f521f6190e1ec32259f7a2 Mon Sep 17 00:00:00 2001 From: Andreas Gohr Date: Sat, 15 Jan 2011 12:24:14 +0100 Subject: Added support for Wordpress' password hashing FS#2134 --- inc/auth.php | 47 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 47 insertions(+) (limited to 'inc/auth.php') diff --git a/inc/auth.php b/inc/auth.php index 83d1d4159..5cdcec830 100644 --- a/inc/auth.php +++ b/inc/auth.php @@ -937,6 +937,8 @@ function act_resendpwd(){ * mysql - MySQL password (old method) * my411 - MySQL 4.1.1 password * kmd5 - Salted MD5 hashing as used by UNB + * pmd5 - Salted multi iteration MD5 as used by Wordpress + * hmd5 - Same as pmd5 but PhpBB3 flavour * * @author Andreas Gohr * @return string The crypted password @@ -1016,6 +1018,45 @@ function auth_cryptPassword($clear,$method='',$salt=null){ $hash1 = strtolower(md5($key . md5($clear))); $hash2 = substr($hash1, 0, 16) . $key . substr($hash1, 16); return $hash2; + case 'hmd5': + $key = 'H'; + // hmd5 is exactly the same as pmd5, but uses an H as identifier + // PhpBB3 uses it that way, so we just fall through here + case 'pmd5': + if(!$key) $key = 'P'; + $itoa64 = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz'; + $iterc = $salt[0]; // pos 0 of salt is iteration count + $iter = strpos($itoa64,$iterc); + $iter = 1 << $iter; + $salt = substr($salt,1,8); + + // iterate + $hash = md5($salt . $clear, true); + do { + $hash = md5($hash . $clear, true); + } while (--$iter); + + // encode + $output = ''; + $count = 16; + $i = 0; + do { + $value = ord($hash[$i++]); + $output .= $itoa64[$value & 0x3f]; + if ($i < $count) + $value |= ord($hash[$i]) << 8; + $output .= $itoa64[($value >> 6) & 0x3f]; + if ($i++ >= $count) + break; + if ($i < $count) + $value |= ord($hash[$i]) << 16; + $output .= $itoa64[($value >> 12) & 0x3f]; + if ($i++ >= $count) + break; + $output .= $itoa64[($value >> 18) & 0x3f]; + } while ($i < $count); + + return '$'.$key.'$'.$iterc.$salt.$output; default: msg("Unsupported crypt method $method",-1); } @@ -1043,6 +1084,12 @@ function auth_verifyPassword($clear,$crypt){ }elseif(preg_match('/^\$apr1\$([^\$]{0,8})\$/',$crypt,$m)){ $method = 'apr1'; $salt = $m[1]; + }elseif(preg_match('/^\$P\$(.{31})$/',$crypt,$m)){ + $method = 'pmd5'; + $salt = $m[1]; + }elseif(preg_match('/^\$H\$(.{31})$/',$crypt,$m)){ + $method = 'hmd5'; + $salt = $m[1]; }elseif(substr($crypt,0,6) == '{SSHA}'){ $method = 'ssha'; $salt = substr(base64_decode(substr($crypt, 6)),20); -- cgit v1.2.3 From b2665af72cdba76ca409b7e00e150746f2f83ced Mon Sep 17 00:00:00 2001 From: Michael Hamann Date: Mon, 27 Dec 2010 22:53:18 +0100 Subject: Handle renamed authorization variables Sometimes (when using rewriting with the workaround for CGI mode described at http://www.besthostratings.com/articles/http-auth-php-cgi.html) the HTTP_AUTHORIZATION variable is renamed, this change detects this renaming and uses the renamed variable. --- inc/auth.php | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'inc/auth.php') diff --git a/inc/auth.php b/inc/auth.php index 5cdcec830..38d1c925d 100644 --- a/inc/auth.php +++ b/inc/auth.php @@ -70,6 +70,12 @@ function auth_setup(){ $_REQUEST['http_credentials'] = false; if (!$conf['rememberme']) $_REQUEST['r'] = false; + // handle renamed HTTP_AUTHORIZATION variable (can happen when a fix like + // the one presented at + // http://www.besthostratings.com/articles/http-auth-php-cgi.html is used + // for enabling HTTP authentication with CGI/SuExec) + if(isset($_SERVER['REDIRECT_HTTP_AUTHORIZATION'])) + $_SERVER['HTTP_AUTHORIZATION'] = $_SERVER['REDIRECT_HTTP_AUTHORIZATION']; // streamline HTTP auth credentials (IIS/rewrite -> mod_php) if(isset($_SERVER['HTTP_AUTHORIZATION'])){ list($_SERVER['PHP_AUTH_USER'],$_SERVER['PHP_AUTH_PW']) = -- cgit v1.2.3