diff options
-rw-r--r-- | admin/configuration.php | 1 | ||||
-rw-r--r-- | identification.php | 19 | ||||
-rw-r--r-- | include/common.inc.php | 11 | ||||
-rw-r--r-- | include/functions_html.inc.php | 1 | ||||
-rw-r--r-- | include/functions_search.inc.php | 17 | ||||
-rw-r--r-- | include/functions_user.inc.php | 42 | ||||
-rw-r--r-- | include/php_compat/array_intersect_key.php | 35 | ||||
-rw-r--r-- | include/php_compat/hash_hmac.php | 25 | ||||
-rw-r--r-- | include/picture_comment.inc.php | 38 | ||||
-rw-r--r-- | include/ws_functions.inc.php | 14 | ||||
-rw-r--r-- | install/config.sql | 1 | ||||
-rw-r--r-- | install/db/46-database.php | 50 | ||||
-rw-r--r-- | language/en_UK.iso-8859-1/admin.lang.php | 1 | ||||
-rw-r--r-- | language/en_UK.iso-8859-1/help/configuration.html | 4 | ||||
-rw-r--r-- | language/fr_FR.iso-8859-1/admin.lang.php | 1 | ||||
-rw-r--r-- | language/fr_FR.iso-8859-1/help/configuration.html | 4 | ||||
-rw-r--r-- | template/yoga/admin/configuration.tpl | 4 | ||||
-rw-r--r-- | template/yoga/picture.tpl | 4 |
18 files changed, 174 insertions, 98 deletions
diff --git a/admin/configuration.php b/admin/configuration.php index 1f15b7a1d..71c0e6f35 100644 --- a/admin/configuration.php +++ b/admin/configuration.php @@ -51,7 +51,6 @@ $general_checkboxes = array( 'log', 'history_admin', 'history_guest', - 'login_history', 'email_admin_on_new_user', 'allow_user_registration', ); diff --git a/identification.php b/identification.php index f78849690..e1edceb1d 100644 --- a/identification.php +++ b/identification.php @@ -45,24 +45,9 @@ if ( !empty($_GET['redirect']) ) if (isset($_POST['login'])) { $redirect_to = isset($_POST['redirect']) ? $_POST['redirect'] : ''; - $username = mysql_escape_string($_POST['username']); - // retrieving the encrypted password of the login submitted - $query = ' -SELECT '.$conf['user_fields']['id'].' AS id, - '.$conf['user_fields']['password'].' AS password - FROM '.USERS_TABLE.' - WHERE '.$conf['user_fields']['username'].' = \''.$username.'\' -;'; - $row = mysql_fetch_array(pwg_query($query)); - if ($row['password'] == $conf['pass_convert']($_POST['password'])) + $remember_me = isset($_POST['remember_me']) and $_POST['remember_me']==1; + if ( try_log_user($_POST['username'], $_POST['password'], $remember_me) ) { - $remember_me = false; - if (isset($_POST['remember_me']) - and $_POST['remember_me'] == 1) - { - $remember_me = true; - } - log_user($row['id'], $remember_me); redirect(empty($redirect_to) ? make_index_url() : $redirect_to); } else diff --git a/include/common.inc.php b/include/common.inc.php index 5a0a82ff9..aea694639 100644 --- a/include/common.inc.php +++ b/include/common.inc.php @@ -121,6 +121,17 @@ if (!defined('PHPWG_INSTALLED')) exit; } +foreach( array( + 'array_intersect_key', //PHP 5 >= 5.1.0RC1 + 'hash_hmac', //(hash) - enabled by default as of PHP 5.1.2 + ) as $func) +{ + if (!function_exists($func)) + { + include_once(PHPWG_ROOT_PATH . 'include/php_compat/'.$func.'.php'); + } +} + include(PHPWG_ROOT_PATH . 'include/config_default.inc.php'); @include(PHPWG_ROOT_PATH. 'include/config_local.inc.php'); include(PHPWG_ROOT_PATH . 'include/constants.php'); diff --git a/include/functions_html.inc.php b/include/functions_html.inc.php index 8b544defa..bb8861ba4 100644 --- a/include/functions_html.inc.php +++ b/include/functions_html.inc.php @@ -717,5 +717,6 @@ function set_status_header($code, $text='') } header("HTTP/1.1 $code $text"); header("Status: $code $text"); + trigger_action('set_status_header', $code, $text); } ?> diff --git a/include/functions_search.inc.php b/include/functions_search.inc.php index 8f1105caf..24b676e1f 100644 --- a/include/functions_search.inc.php +++ b/include/functions_search.inc.php @@ -252,23 +252,6 @@ SELECT DISTINCT(id) return $items; } - -if (!function_exists('array_intersect_key')) { - function array_intersect_key() - { - $arrs = func_get_args(); - $result = array_shift($arrs); - foreach ($arrs as $array) { - foreach ($result as $key => $v) { - if (!array_key_exists($key, $array)) { - unset($result[$key]); - } - } - } - return $result; - } -} - /** * returns the LIKE sql clause corresponding to the quick search query $q * and the field $field. example q="john bill", field="file" will return diff --git a/include/functions_user.inc.php b/include/functions_user.inc.php index 5499eb86c..74c1c81f1 100644 --- a/include/functions_user.inc.php +++ b/include/functions_user.inc.php @@ -858,8 +858,9 @@ function get_language_filepath($filename, $dirname = '') /** * returns the auto login key or false on error * @param int user_id + * @param string [out] username */ -function calculate_auto_login_key($user_id) +function calculate_auto_login_key($user_id, &$username) { global $conf; $query = ' @@ -871,7 +872,12 @@ WHERE '.$conf['user_fields']['id'].' = '.$user_id; if (mysql_num_rows($result) > 0) { $row = mysql_fetch_assoc($result); - $key = sha1( $row['username'].$row['password'] ); + $username = $row['username']; + $data = $row['username'].$row['password']; + $key = base64_encode( + pack('H*', sha1($data)) + .hash_hmac('md5', $data, $conf['secret_key'],true) + ); return $key; } return false; @@ -889,7 +895,7 @@ function log_user($user_id, $remember_me) if ($remember_me and $conf['authorize_remembering']) { - $key = calculate_auto_login_key($user_id); + $key = calculate_auto_login_key($user_id, $username); if ($key!==false) { $cookie = array('id' => (int)$user_id, 'key' => $key); @@ -928,12 +934,13 @@ function auto_login() { if ( isset( $_COOKIE[$conf['remember_me_name']] ) ) { $cookie = unserialize(stripslashes($_COOKIE[$conf['remember_me_name']])); - if ($cookie!==false) + if ($cookie!==false and is_numeric(@$cookie['id']) ) { - $key = calculate_auto_login_key($cookie['id']); + $key = calculate_auto_login_key( $cookie['id'], $username ); if ($key!==false and $key===$cookie['key']) { log_user($cookie['id'], true); + trigger_action('login_success', $username); return true; } } @@ -942,6 +949,31 @@ function auto_login() { return false; } +/** + * Tries to login a user given username and password (must be MySql escaped) + * return true on success + */ +function try_log_user($username, $password, $remember_me) +{ + global $conf; + // retrieving the encrypted password of the login submitted + $query = ' +SELECT '.$conf['user_fields']['id'].' AS id, + '.$conf['user_fields']['password'].' AS password + FROM '.USERS_TABLE.' + WHERE '.$conf['user_fields']['username'].' = \''.$username.'\' +;'; + $row = mysql_fetch_assoc(pwg_query($query)); + if ($row['password'] == $conf['pass_convert']($password)) + { + log_user($row['id'], $remember_me); + trigger_action('login_success', $username); + return true; + } + trigger_action('login_failure', $username); + return false; +} + /* * Return access_type definition of uuser * Test does with user status diff --git a/include/php_compat/array_intersect_key.php b/include/php_compat/array_intersect_key.php new file mode 100644 index 000000000..748b8f6f1 --- /dev/null +++ b/include/php_compat/array_intersect_key.php @@ -0,0 +1,35 @@ +<?php +// http://www.php.net/manual/en/function.array-intersect-key.php +// PHP 5 >= 5.1.0RC1 +function array_intersect_key() +{ + $args = func_get_args(); + if (count($args) < 2) { + trigger_error('Wrong parameter count for array_intersect_key()', E_USER_WARNING); + return; + } + + // Check arrays + $array_count = count($args); + for ($i = 0; $i !== $array_count; $i++) { + if (!is_array($args[$i])) { + trigger_error('array_intersect_key() Argument #' . ($i + 1) . ' is not an array', E_USER_WARNING); + return; + } + } + + // Compare entries + $result = array(); + foreach ($args[0] as $key1 => $value1) { + for ($i = 1; $i !== $array_count; $i++) { + foreach ($args[$i] as $key2 => $value2) { + if ((string) $key1 === (string) $key2) { + $result[$key1] = $value1; + } + } + } + } + + return $result; +} +?>
\ No newline at end of file diff --git a/include/php_compat/hash_hmac.php b/include/php_compat/hash_hmac.php new file mode 100644 index 000000000..5f05e370c --- /dev/null +++ b/include/php_compat/hash_hmac.php @@ -0,0 +1,25 @@ +<?php +//(hash) - enabled by default as of PHP 5.1.2 +function hash_hmac($algo, $data, $key, $raw_output=false) +{ + /* md5 and sha1 only */ + $algo=strtolower($algo); + $p=array('md5'=>'H32','sha1'=>'H40'); + if ( !isset($p[$algo]) or !function_exists($algo) ) + { + $algo = 'md5'; + } + if(strlen($key)>64) $key=pack($p[$algo],$algo($key)); + if(strlen($key)<64) $key=str_pad($key,64,chr(0)); + + $ipad=substr($key,0,64) ^ str_repeat(chr(0x36),64); + $opad=substr($key,0,64) ^ str_repeat(chr(0x5C),64); + + $ret = $algo($opad.pack($p[$algo],$algo($ipad.$data))); + if ($raw_output) + { + $ret = pack('H*', $ret); + } + return $ret; +} +?>
\ No newline at end of file diff --git a/include/picture_comment.inc.php b/include/picture_comment.inc.php index fbbe80d50..faf1d9d7d 100644 --- a/include/picture_comment.inc.php +++ b/include/picture_comment.inc.php @@ -30,32 +30,6 @@ * */ -if (!function_exists('hash_hmac')) -{ -function hash_hmac($algo, $data, $key, $raw_output=false) -{ - /* md5 and sha1 only */ - $algo=strtolower($algo); - $p=array('md5'=>'H32','sha1'=>'H40'); - if ( !isset($p[$algo]) or !function_exists($algo) ) - { - $algo = 'md5'; - } - if(strlen($key)>64) $key=pack($p[$algo],$algo($key)); - if(strlen($key)<64) $key=str_pad($key,64,chr(0)); - - $ipad=substr($key,0,64) ^ str_repeat(chr(0x36),64); - $opad=substr($key,0,64) ^ str_repeat(chr(0x5C),64); - - $ret = $algo($opad.pack($p[$algo],$algo($ipad.$data))); - if ($raw_output) - { - $ret = pack('H*', $ret); - } - return $ret; -} -} - //returns string action to perform on a new comment: validate, moderate, reject function user_comment_check($action, $comment, $picture) { @@ -166,7 +140,8 @@ if ( $page['show_comments'] and isset( $_POST['content'] ) ) $key = explode(':', @$_POST['key']); if ( count($key)!=2 - or $key[0]>time() or $key[0]<time()-1800 // 30 minutes expiration + or $key[0]>time()-2 // page must have been retrieved more than 2 sec ago + or $key[0]<time()-3600 // 60 minutes expiration or hash_hmac('md5', $key[0], $conf['secret_key'])!=$key[1] ) { @@ -257,6 +232,7 @@ if ( $page['show_comments'] and isset( $_POST['content'] ) ) } else { + set_status_header(403); $template->assign_block_vars('information', array('INFORMATION'=>l10n('comment_not_added') ) ); @@ -354,9 +330,15 @@ SELECT id,author,date,image_id,content { $key = time(); $key .= ':'.hash_hmac('md5', $key, $conf['secret_key']); + $content = ''; + if ('reject'===@$comment_action) + { + $content = htmlspecialchars($comm['content']); + } $template->assign_block_vars('comments.add_comment', array( - 'key' => $key + 'KEY' => $key, + 'CONTENT' => $content )); // display author field if the user is not logged in if ($user['is_the_guest']) diff --git a/include/ws_functions.inc.php b/include/ws_functions.inc.php index 849407ef2..61310265b 100644 --- a/include/ws_functions.inc.php +++ b/include/ws_functions.inc.php @@ -494,20 +494,8 @@ function ws_session_login($params, &$service) { return new PwgError(400, "This method requires POST"); } - - $username = $params['username']; - // retrieving the encrypted password of the login submitted - $query = ' -SELECT '.$conf['user_fields']['id'].' AS id, - '.$conf['user_fields']['password'].' AS password - FROM '.USERS_TABLE.' - WHERE '.$conf['user_fields']['username'].' = \''.$username.'\' -;'; - $row = mysql_fetch_assoc(pwg_query($query)); - - if ($row['password'] == $conf['pass_convert']($params['password'])) + if (try_log_user($params['username'], $params['password'],false)) { - log_user($row['id'], false); return true; } return new PwgError(999, 'Invalid username/password'); diff --git a/install/config.sql b/install/config.sql index 9c4dbc743..3933fd658 100644 --- a/install/config.sql +++ b/install/config.sql @@ -21,7 +21,6 @@ INSERT INTO phpwebgallery_config (param,value,comment) VALUES ('rate_anonymous', INSERT INTO phpwebgallery_config (param,value,comment) VALUES ('page_banner','<h1>PhpWebGallery demonstration site</h1><p>My photos web site</p>','html displayed on the top each page of your gallery'); INSERT INTO phpwebgallery_config (param,value,comment) VALUES ('history_admin','false','keep a history of administrator visits on your website'); INSERT INTO phpwebgallery_config (param,value,comment) VALUES ('history_guest','true','keep a history of guest visits on your website'); -INSERT INTO phpwebgallery_config (param,value,comment) VALUES ('login_history','true','keep a history of user logins on your website'); INSERT INTO phpwebgallery_config (param,value,comment) VALUES ('allow_user_registration','true','allow visitors to register?'); INSERT INTO phpwebgallery_config (param,value,comment) VALUES ('secret_key', MD5(RAND()), 'a secret key specific to the gallery for internal use'); -- Notification by mail diff --git a/install/db/46-database.php b/install/db/46-database.php new file mode 100644 index 000000000..fa4def413 --- /dev/null +++ b/install/db/46-database.php @@ -0,0 +1,50 @@ +<?php +// +-----------------------------------------------------------------------+ +// | PhpWebGallery - a PHP based picture gallery | +// | Copyright (C) 2002-2003 Pierrick LE GALL - pierrick@phpwebgallery.net | +// | Copyright (C) 2003-2005 PhpWebGallery Team - http://phpwebgallery.net | +// +-----------------------------------------------------------------------+ +// | branch : BSF (Best So Far) +// | file : $Id$ +// | last update : $Date$ +// | last modifier : $Author$ +// | revision : $Revision$ +// +-----------------------------------------------------------------------+ +// | This program is free software; you can redistribute it and/or modify | +// | it under the terms of the GNU General Public License as published by | +// | the Free Software Foundation | +// | | +// | This program is distributed in the hope that it will be useful, but | +// | WITHOUT ANY WARRANTY; without even the implied warranty of | +// | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | +// | General Public License for more details. | +// | | +// | You should have received a copy of the GNU General Public License | +// | along with this program; if not, write to the Free Software | +// | Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, | +// | USA. | +// +-----------------------------------------------------------------------+ + +if (!defined('PHPWG_ROOT_PATH')) +{ + die('Hacking attempt!'); +} + +$upgrade_description = 'remove login_history from #config (partial revert 30-database.php)'; + + +// +-----------------------------------------------------------------------+ +// | Upgrade content | +// +-----------------------------------------------------------------------+ + +$query = ' +DELETE FROM '.PREFIX_TABLE.'config WHERE param="login_history"'; +pwg_query($query); + +echo +"\n" +.'"'.$upgrade_description.'"'.' ended' +."\n" +; + +?> diff --git a/language/en_UK.iso-8859-1/admin.lang.php b/language/en_UK.iso-8859-1/admin.lang.php index 6a7ad01c6..8825f1a2f 100644 --- a/language/en_UK.iso-8859-1/admin.lang.php +++ b/language/en_UK.iso-8859-1/admin.lang.php @@ -106,7 +106,6 @@ $lang['Link all category elements to a new category'] = 'Link all category eleme $lang['Link all category elements to some existing categories'] = 'Link all category elements to some existing categories'; $lang['Linked categories'] = 'Linked categories'; $lang['Lock gallery'] = 'Lock gallery'; -$lang['Login history'] = 'User login history'; $lang['Maintenance'] = 'Maintenance'; $lang['Manage permissions for a category'] = 'Manage permissions for a category'; $lang['Manage permissions for group "%s"'] = 'Manage permissions for group "%s"'; diff --git a/language/en_UK.iso-8859-1/help/configuration.html b/language/en_UK.iso-8859-1/help/configuration.html index cca7f1d8a..f26d7f3b9 100644 --- a/language/en_UK.iso-8859-1/help/configuration.html +++ b/language/en_UK.iso-8859-1/help/configuration.html @@ -40,10 +40,6 @@ rate images.</li> will be saved.</li> <li><strong>History Guests</strong>: page visits by guests will be saved.</li> - - <li><strong>User login history</strong>: when a user logs in, it will be - logged in the <code>history</code> table.</li> - </ul> diff --git a/language/fr_FR.iso-8859-1/admin.lang.php b/language/fr_FR.iso-8859-1/admin.lang.php index 209c39a7f..8d5bc1072 100644 --- a/language/fr_FR.iso-8859-1/admin.lang.php +++ b/language/fr_FR.iso-8859-1/admin.lang.php @@ -106,7 +106,6 @@ $lang['Link all category elements to a new category'] = 'Associer tous les éléme $lang['Link all category elements to some existing categories'] = 'Associer tous les éléments de la catégorie à des catégories existantes'; $lang['Linked categories'] = 'Catégories associées'; $lang['Lock gallery'] = 'Verrouiller la galerie'; -$lang['Login history'] = 'Historique des connexions'; $lang['Maintenance'] = 'Maintenance'; $lang['Manage permissions for a category'] = 'Gérer les permissions pour une catégorie'; $lang['Manage permissions for group "%s"'] = 'Gérer les permissions pour le groupe "%s"'; diff --git a/language/fr_FR.iso-8859-1/help/configuration.html b/language/fr_FR.iso-8859-1/help/configuration.html index ba9a411f4..001daf336 100644 --- a/language/fr_FR.iso-8859-1/help/configuration.html +++ b/language/fr_FR.iso-8859-1/help/configuration.html @@ -41,10 +41,6 @@ dans l'écran <span class="pwgScreen">Administration, Général, Historique</span>. <li><strong>Historique Invités</strong>: les visites des pages par les invités sont enregistrées.</li> - - <li><strong>Historique des connexions</strong>: chaque connexion - utilisateur, est enregistrée dans la table <code>history</code>.</li> - </ul> diff --git a/template/yoga/admin/configuration.tpl b/template/yoga/admin/configuration.tpl index 387bb5b47..6f4010a5f 100644 --- a/template/yoga/admin/configuration.tpl +++ b/template/yoga/admin/configuration.tpl @@ -82,10 +82,6 @@ <li> <label><span class="property">{lang:Guests}</span><input type="checkbox" name="history_guest" {general.HISTORY_GUEST} /></label> </li> - - <li> - <label><span class="property">{lang:Login history}</span><input type="checkbox" name="login_history" {general.LOGIN_HISTORY} /></label> - </li> </ul> </fieldset> </li> diff --git a/template/yoga/picture.tpl b/template/yoga/picture.tpl index f42fc83ae..52d64cd9c 100644 --- a/template/yoga/picture.tpl +++ b/template/yoga/picture.tpl @@ -190,8 +190,8 @@ <!-- BEGIN author_field --> <label>{lang:upload_author}<input type="text" name="author"></label> <!-- END author_field --> - <label>{lang:comment}<textarea name="content" rows="5" cols="80"></textarea></label> - <input type="hidden" name="key" value="{comments.add_comment.key}" /> + <label>{lang:comment}<textarea name="content" rows="5" cols="80">{comments.add_comment.CONTENT}</textarea></label> + <input type="hidden" name="key" value="{comments.add_comment.KEY}" /> <input type="submit" value="{lang:submit}"> </fieldset> </form> |