aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--admin/configuration.php1
-rw-r--r--identification.php19
-rw-r--r--include/common.inc.php11
-rw-r--r--include/functions_html.inc.php1
-rw-r--r--include/functions_search.inc.php17
-rw-r--r--include/functions_user.inc.php42
-rw-r--r--include/php_compat/array_intersect_key.php35
-rw-r--r--include/php_compat/hash_hmac.php25
-rw-r--r--include/picture_comment.inc.php38
-rw-r--r--include/ws_functions.inc.php14
-rw-r--r--install/config.sql1
-rw-r--r--install/db/46-database.php50
-rw-r--r--language/en_UK.iso-8859-1/admin.lang.php1
-rw-r--r--language/en_UK.iso-8859-1/help/configuration.html4
-rw-r--r--language/fr_FR.iso-8859-1/admin.lang.php1
-rw-r--r--language/fr_FR.iso-8859-1/help/configuration.html4
-rw-r--r--template/yoga/admin/configuration.tpl4
-rw-r--r--template/yoga/picture.tpl4
18 files changed, 174 insertions, 98 deletions
diff --git a/admin/configuration.php b/admin/configuration.php
index 1f15b7a1d..71c0e6f35 100644
--- a/admin/configuration.php
+++ b/admin/configuration.php
@@ -51,7 +51,6 @@ $general_checkboxes = array(
'log',
'history_admin',
'history_guest',
- 'login_history',
'email_admin_on_new_user',
'allow_user_registration',
);
diff --git a/identification.php b/identification.php
index f78849690..e1edceb1d 100644
--- a/identification.php
+++ b/identification.php
@@ -45,24 +45,9 @@ if ( !empty($_GET['redirect']) )
if (isset($_POST['login']))
{
$redirect_to = isset($_POST['redirect']) ? $_POST['redirect'] : '';
- $username = mysql_escape_string($_POST['username']);
- // retrieving the encrypted password of the login submitted
- $query = '
-SELECT '.$conf['user_fields']['id'].' AS id,
- '.$conf['user_fields']['password'].' AS password
- FROM '.USERS_TABLE.'
- WHERE '.$conf['user_fields']['username'].' = \''.$username.'\'
-;';
- $row = mysql_fetch_array(pwg_query($query));
- if ($row['password'] == $conf['pass_convert']($_POST['password']))
+ $remember_me = isset($_POST['remember_me']) and $_POST['remember_me']==1;
+ if ( try_log_user($_POST['username'], $_POST['password'], $remember_me) )
{
- $remember_me = false;
- if (isset($_POST['remember_me'])
- and $_POST['remember_me'] == 1)
- {
- $remember_me = true;
- }
- log_user($row['id'], $remember_me);
redirect(empty($redirect_to) ? make_index_url() : $redirect_to);
}
else
diff --git a/include/common.inc.php b/include/common.inc.php
index 5a0a82ff9..aea694639 100644
--- a/include/common.inc.php
+++ b/include/common.inc.php
@@ -121,6 +121,17 @@ if (!defined('PHPWG_INSTALLED'))
exit;
}
+foreach( array(
+ 'array_intersect_key', //PHP 5 >= 5.1.0RC1
+ 'hash_hmac', //(hash) - enabled by default as of PHP 5.1.2
+ ) as $func)
+{
+ if (!function_exists($func))
+ {
+ include_once(PHPWG_ROOT_PATH . 'include/php_compat/'.$func.'.php');
+ }
+}
+
include(PHPWG_ROOT_PATH . 'include/config_default.inc.php');
@include(PHPWG_ROOT_PATH. 'include/config_local.inc.php');
include(PHPWG_ROOT_PATH . 'include/constants.php');
diff --git a/include/functions_html.inc.php b/include/functions_html.inc.php
index 8b544defa..bb8861ba4 100644
--- a/include/functions_html.inc.php
+++ b/include/functions_html.inc.php
@@ -717,5 +717,6 @@ function set_status_header($code, $text='')
}
header("HTTP/1.1 $code $text");
header("Status: $code $text");
+ trigger_action('set_status_header', $code, $text);
}
?>
diff --git a/include/functions_search.inc.php b/include/functions_search.inc.php
index 8f1105caf..24b676e1f 100644
--- a/include/functions_search.inc.php
+++ b/include/functions_search.inc.php
@@ -252,23 +252,6 @@ SELECT DISTINCT(id)
return $items;
}
-
-if (!function_exists('array_intersect_key')) {
- function array_intersect_key()
- {
- $arrs = func_get_args();
- $result = array_shift($arrs);
- foreach ($arrs as $array) {
- foreach ($result as $key => $v) {
- if (!array_key_exists($key, $array)) {
- unset($result[$key]);
- }
- }
- }
- return $result;
- }
-}
-
/**
* returns the LIKE sql clause corresponding to the quick search query $q
* and the field $field. example q="john bill", field="file" will return
diff --git a/include/functions_user.inc.php b/include/functions_user.inc.php
index 5499eb86c..74c1c81f1 100644
--- a/include/functions_user.inc.php
+++ b/include/functions_user.inc.php
@@ -858,8 +858,9 @@ function get_language_filepath($filename, $dirname = '')
/**
* returns the auto login key or false on error
* @param int user_id
+ * @param string [out] username
*/
-function calculate_auto_login_key($user_id)
+function calculate_auto_login_key($user_id, &$username)
{
global $conf;
$query = '
@@ -871,7 +872,12 @@ WHERE '.$conf['user_fields']['id'].' = '.$user_id;
if (mysql_num_rows($result) > 0)
{
$row = mysql_fetch_assoc($result);
- $key = sha1( $row['username'].$row['password'] );
+ $username = $row['username'];
+ $data = $row['username'].$row['password'];
+ $key = base64_encode(
+ pack('H*', sha1($data))
+ .hash_hmac('md5', $data, $conf['secret_key'],true)
+ );
return $key;
}
return false;
@@ -889,7 +895,7 @@ function log_user($user_id, $remember_me)
if ($remember_me and $conf['authorize_remembering'])
{
- $key = calculate_auto_login_key($user_id);
+ $key = calculate_auto_login_key($user_id, $username);
if ($key!==false)
{
$cookie = array('id' => (int)$user_id, 'key' => $key);
@@ -928,12 +934,13 @@ function auto_login() {
if ( isset( $_COOKIE[$conf['remember_me_name']] ) )
{
$cookie = unserialize(stripslashes($_COOKIE[$conf['remember_me_name']]));
- if ($cookie!==false)
+ if ($cookie!==false and is_numeric(@$cookie['id']) )
{
- $key = calculate_auto_login_key($cookie['id']);
+ $key = calculate_auto_login_key( $cookie['id'], $username );
if ($key!==false and $key===$cookie['key'])
{
log_user($cookie['id'], true);
+ trigger_action('login_success', $username);
return true;
}
}
@@ -942,6 +949,31 @@ function auto_login() {
return false;
}
+/**
+ * Tries to login a user given username and password (must be MySql escaped)
+ * return true on success
+ */
+function try_log_user($username, $password, $remember_me)
+{
+ global $conf;
+ // retrieving the encrypted password of the login submitted
+ $query = '
+SELECT '.$conf['user_fields']['id'].' AS id,
+ '.$conf['user_fields']['password'].' AS password
+ FROM '.USERS_TABLE.'
+ WHERE '.$conf['user_fields']['username'].' = \''.$username.'\'
+;';
+ $row = mysql_fetch_assoc(pwg_query($query));
+ if ($row['password'] == $conf['pass_convert']($password))
+ {
+ log_user($row['id'], $remember_me);
+ trigger_action('login_success', $username);
+ return true;
+ }
+ trigger_action('login_failure', $username);
+ return false;
+}
+
/*
* Return access_type definition of uuser
* Test does with user status
diff --git a/include/php_compat/array_intersect_key.php b/include/php_compat/array_intersect_key.php
new file mode 100644
index 000000000..748b8f6f1
--- /dev/null
+++ b/include/php_compat/array_intersect_key.php
@@ -0,0 +1,35 @@
+<?php
+// http://www.php.net/manual/en/function.array-intersect-key.php
+// PHP 5 >= 5.1.0RC1
+function array_intersect_key()
+{
+ $args = func_get_args();
+ if (count($args) < 2) {
+ trigger_error('Wrong parameter count for array_intersect_key()', E_USER_WARNING);
+ return;
+ }
+
+ // Check arrays
+ $array_count = count($args);
+ for ($i = 0; $i !== $array_count; $i++) {
+ if (!is_array($args[$i])) {
+ trigger_error('array_intersect_key() Argument #' . ($i + 1) . ' is not an array', E_USER_WARNING);
+ return;
+ }
+ }
+
+ // Compare entries
+ $result = array();
+ foreach ($args[0] as $key1 => $value1) {
+ for ($i = 1; $i !== $array_count; $i++) {
+ foreach ($args[$i] as $key2 => $value2) {
+ if ((string) $key1 === (string) $key2) {
+ $result[$key1] = $value1;
+ }
+ }
+ }
+ }
+
+ return $result;
+}
+?> \ No newline at end of file
diff --git a/include/php_compat/hash_hmac.php b/include/php_compat/hash_hmac.php
new file mode 100644
index 000000000..5f05e370c
--- /dev/null
+++ b/include/php_compat/hash_hmac.php
@@ -0,0 +1,25 @@
+<?php
+//(hash) - enabled by default as of PHP 5.1.2
+function hash_hmac($algo, $data, $key, $raw_output=false)
+{
+ /* md5 and sha1 only */
+ $algo=strtolower($algo);
+ $p=array('md5'=>'H32','sha1'=>'H40');
+ if ( !isset($p[$algo]) or !function_exists($algo) )
+ {
+ $algo = 'md5';
+ }
+ if(strlen($key)>64) $key=pack($p[$algo],$algo($key));
+ if(strlen($key)<64) $key=str_pad($key,64,chr(0));
+
+ $ipad=substr($key,0,64) ^ str_repeat(chr(0x36),64);
+ $opad=substr($key,0,64) ^ str_repeat(chr(0x5C),64);
+
+ $ret = $algo($opad.pack($p[$algo],$algo($ipad.$data)));
+ if ($raw_output)
+ {
+ $ret = pack('H*', $ret);
+ }
+ return $ret;
+}
+?> \ No newline at end of file
diff --git a/include/picture_comment.inc.php b/include/picture_comment.inc.php
index fbbe80d50..faf1d9d7d 100644
--- a/include/picture_comment.inc.php
+++ b/include/picture_comment.inc.php
@@ -30,32 +30,6 @@
*
*/
-if (!function_exists('hash_hmac'))
-{
-function hash_hmac($algo, $data, $key, $raw_output=false)
-{
- /* md5 and sha1 only */
- $algo=strtolower($algo);
- $p=array('md5'=>'H32','sha1'=>'H40');
- if ( !isset($p[$algo]) or !function_exists($algo) )
- {
- $algo = 'md5';
- }
- if(strlen($key)>64) $key=pack($p[$algo],$algo($key));
- if(strlen($key)<64) $key=str_pad($key,64,chr(0));
-
- $ipad=substr($key,0,64) ^ str_repeat(chr(0x36),64);
- $opad=substr($key,0,64) ^ str_repeat(chr(0x5C),64);
-
- $ret = $algo($opad.pack($p[$algo],$algo($ipad.$data)));
- if ($raw_output)
- {
- $ret = pack('H*', $ret);
- }
- return $ret;
-}
-}
-
//returns string action to perform on a new comment: validate, moderate, reject
function user_comment_check($action, $comment, $picture)
{
@@ -166,7 +140,8 @@ if ( $page['show_comments'] and isset( $_POST['content'] ) )
$key = explode(':', @$_POST['key']);
if ( count($key)!=2
- or $key[0]>time() or $key[0]<time()-1800 // 30 minutes expiration
+ or $key[0]>time()-2 // page must have been retrieved more than 2 sec ago
+ or $key[0]<time()-3600 // 60 minutes expiration
or hash_hmac('md5', $key[0], $conf['secret_key'])!=$key[1]
)
{
@@ -257,6 +232,7 @@ if ( $page['show_comments'] and isset( $_POST['content'] ) )
}
else
{
+ set_status_header(403);
$template->assign_block_vars('information',
array('INFORMATION'=>l10n('comment_not_added') )
);
@@ -354,9 +330,15 @@ SELECT id,author,date,image_id,content
{
$key = time();
$key .= ':'.hash_hmac('md5', $key, $conf['secret_key']);
+ $content = '';
+ if ('reject'===@$comment_action)
+ {
+ $content = htmlspecialchars($comm['content']);
+ }
$template->assign_block_vars('comments.add_comment',
array(
- 'key' => $key
+ 'KEY' => $key,
+ 'CONTENT' => $content
));
// display author field if the user is not logged in
if ($user['is_the_guest'])
diff --git a/include/ws_functions.inc.php b/include/ws_functions.inc.php
index 849407ef2..61310265b 100644
--- a/include/ws_functions.inc.php
+++ b/include/ws_functions.inc.php
@@ -494,20 +494,8 @@ function ws_session_login($params, &$service)
{
return new PwgError(400, "This method requires POST");
}
-
- $username = $params['username'];
- // retrieving the encrypted password of the login submitted
- $query = '
-SELECT '.$conf['user_fields']['id'].' AS id,
- '.$conf['user_fields']['password'].' AS password
- FROM '.USERS_TABLE.'
- WHERE '.$conf['user_fields']['username'].' = \''.$username.'\'
-;';
- $row = mysql_fetch_assoc(pwg_query($query));
-
- if ($row['password'] == $conf['pass_convert']($params['password']))
+ if (try_log_user($params['username'], $params['password'],false))
{
- log_user($row['id'], false);
return true;
}
return new PwgError(999, 'Invalid username/password');
diff --git a/install/config.sql b/install/config.sql
index 9c4dbc743..3933fd658 100644
--- a/install/config.sql
+++ b/install/config.sql
@@ -21,7 +21,6 @@ INSERT INTO phpwebgallery_config (param,value,comment) VALUES ('rate_anonymous',
INSERT INTO phpwebgallery_config (param,value,comment) VALUES ('page_banner','<h1>PhpWebGallery demonstration site</h1><p>My photos web site</p>','html displayed on the top each page of your gallery');
INSERT INTO phpwebgallery_config (param,value,comment) VALUES ('history_admin','false','keep a history of administrator visits on your website');
INSERT INTO phpwebgallery_config (param,value,comment) VALUES ('history_guest','true','keep a history of guest visits on your website');
-INSERT INTO phpwebgallery_config (param,value,comment) VALUES ('login_history','true','keep a history of user logins on your website');
INSERT INTO phpwebgallery_config (param,value,comment) VALUES ('allow_user_registration','true','allow visitors to register?');
INSERT INTO phpwebgallery_config (param,value,comment) VALUES ('secret_key', MD5(RAND()), 'a secret key specific to the gallery for internal use');
-- Notification by mail
diff --git a/install/db/46-database.php b/install/db/46-database.php
new file mode 100644
index 000000000..fa4def413
--- /dev/null
+++ b/install/db/46-database.php
@@ -0,0 +1,50 @@
+<?php
+// +-----------------------------------------------------------------------+
+// | PhpWebGallery - a PHP based picture gallery |
+// | Copyright (C) 2002-2003 Pierrick LE GALL - pierrick@phpwebgallery.net |
+// | Copyright (C) 2003-2005 PhpWebGallery Team - http://phpwebgallery.net |
+// +-----------------------------------------------------------------------+
+// | branch : BSF (Best So Far)
+// | file : $Id$
+// | last update : $Date$
+// | last modifier : $Author$
+// | revision : $Revision$
+// +-----------------------------------------------------------------------+
+// | This program is free software; you can redistribute it and/or modify |
+// | it under the terms of the GNU General Public License as published by |
+// | the Free Software Foundation |
+// | |
+// | This program is distributed in the hope that it will be useful, but |
+// | WITHOUT ANY WARRANTY; without even the implied warranty of |
+// | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU |
+// | General Public License for more details. |
+// | |
+// | You should have received a copy of the GNU General Public License |
+// | along with this program; if not, write to the Free Software |
+// | Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, |
+// | USA. |
+// +-----------------------------------------------------------------------+
+
+if (!defined('PHPWG_ROOT_PATH'))
+{
+ die('Hacking attempt!');
+}
+
+$upgrade_description = 'remove login_history from #config (partial revert 30-database.php)';
+
+
+// +-----------------------------------------------------------------------+
+// | Upgrade content |
+// +-----------------------------------------------------------------------+
+
+$query = '
+DELETE FROM '.PREFIX_TABLE.'config WHERE param="login_history"';
+pwg_query($query);
+
+echo
+"\n"
+.'"'.$upgrade_description.'"'.' ended'
+."\n"
+;
+
+?>
diff --git a/language/en_UK.iso-8859-1/admin.lang.php b/language/en_UK.iso-8859-1/admin.lang.php
index 6a7ad01c6..8825f1a2f 100644
--- a/language/en_UK.iso-8859-1/admin.lang.php
+++ b/language/en_UK.iso-8859-1/admin.lang.php
@@ -106,7 +106,6 @@ $lang['Link all category elements to a new category'] = 'Link all category eleme
$lang['Link all category elements to some existing categories'] = 'Link all category elements to some existing categories';
$lang['Linked categories'] = 'Linked categories';
$lang['Lock gallery'] = 'Lock gallery';
-$lang['Login history'] = 'User login history';
$lang['Maintenance'] = 'Maintenance';
$lang['Manage permissions for a category'] = 'Manage permissions for a category';
$lang['Manage permissions for group "%s"'] = 'Manage permissions for group "%s"';
diff --git a/language/en_UK.iso-8859-1/help/configuration.html b/language/en_UK.iso-8859-1/help/configuration.html
index cca7f1d8a..f26d7f3b9 100644
--- a/language/en_UK.iso-8859-1/help/configuration.html
+++ b/language/en_UK.iso-8859-1/help/configuration.html
@@ -40,10 +40,6 @@ rate images.</li>
will be saved.</li>
<li><strong>History Guests</strong>: page visits by guests will be saved.</li>
-
- <li><strong>User login history</strong>: when a user logs in, it will be
- logged in the <code>history</code> table.</li>
-
</ul>
diff --git a/language/fr_FR.iso-8859-1/admin.lang.php b/language/fr_FR.iso-8859-1/admin.lang.php
index 209c39a7f..8d5bc1072 100644
--- a/language/fr_FR.iso-8859-1/admin.lang.php
+++ b/language/fr_FR.iso-8859-1/admin.lang.php
@@ -106,7 +106,6 @@ $lang['Link all category elements to a new category'] = 'Associer tous les éléme
$lang['Link all category elements to some existing categories'] = 'Associer tous les éléments de la catégorie à des catégories existantes';
$lang['Linked categories'] = 'Catégories associées';
$lang['Lock gallery'] = 'Verrouiller la galerie';
-$lang['Login history'] = 'Historique des connexions';
$lang['Maintenance'] = 'Maintenance';
$lang['Manage permissions for a category'] = 'Gérer les permissions pour une catégorie';
$lang['Manage permissions for group "%s"'] = 'Gérer les permissions pour le groupe "%s"';
diff --git a/language/fr_FR.iso-8859-1/help/configuration.html b/language/fr_FR.iso-8859-1/help/configuration.html
index ba9a411f4..001daf336 100644
--- a/language/fr_FR.iso-8859-1/help/configuration.html
+++ b/language/fr_FR.iso-8859-1/help/configuration.html
@@ -41,10 +41,6 @@ dans l'écran <span class="pwgScreen">Administration, Général, Historique</span>.
<li><strong>Historique Invités</strong>: les visites des pages
par les invités sont enregistrées.</li>
-
- <li><strong>Historique des connexions</strong>: chaque connexion
- utilisateur, est enregistrée dans la table <code>history</code>.</li>
-
</ul>
diff --git a/template/yoga/admin/configuration.tpl b/template/yoga/admin/configuration.tpl
index 387bb5b47..6f4010a5f 100644
--- a/template/yoga/admin/configuration.tpl
+++ b/template/yoga/admin/configuration.tpl
@@ -82,10 +82,6 @@
<li>
<label><span class="property">{lang:Guests}</span><input type="checkbox" name="history_guest" {general.HISTORY_GUEST} /></label>
</li>
-
- <li>
- <label><span class="property">{lang:Login history}</span><input type="checkbox" name="login_history" {general.LOGIN_HISTORY} /></label>
- </li>
</ul>
</fieldset>
</li>
diff --git a/template/yoga/picture.tpl b/template/yoga/picture.tpl
index f42fc83ae..52d64cd9c 100644
--- a/template/yoga/picture.tpl
+++ b/template/yoga/picture.tpl
@@ -190,8 +190,8 @@
<!-- BEGIN author_field -->
<label>{lang:upload_author}<input type="text" name="author"></label>
<!-- END author_field -->
- <label>{lang:comment}<textarea name="content" rows="5" cols="80"></textarea></label>
- <input type="hidden" name="key" value="{comments.add_comment.key}" />
+ <label>{lang:comment}<textarea name="content" rows="5" cols="80">{comments.add_comment.CONTENT}</textarea></label>
+ <input type="hidden" name="key" value="{comments.add_comment.KEY}" />
<input type="submit" value="{lang:submit}">
</fieldset>
</form>