Version 1.1-alpha5()
------------------------------------------------------------------------
+ * Changed "Auto-Login" via Cookie behaviour to only issue single-
+ time valid cookies to users and no longer put username/pw into
+ serialized cookie data. Many thanks to Yasuo Ohgaki for giving
+ a helping hand! (garvinhicking)
+
* Added possibility to hide/temporarily disable Event plugins
(garvinhicking)
Version 1.0 ()
------------------------------------------------------------------------
+ * Add smarty parameter $view which can be used to detect what kind
+ of page is being displayed. One of: archives, entry, feed, admin,
+ archives, plugin, categories, authors, search, css, start, 404
+ (garvinhicking)
+
* Change Spartacus plugin to use new SourceForge URLs (garvinhicking)
* Added polish language translation by CoSTa
if (serendipity_authenticate_author($serendipity['POST']['user'], $serendipity['POST']['pass'], false, $use_external)) {
if (empty($serendipity['POST']['auto'])) {
serendipity_deleteCookie('author_information');
+ serendipity_deleteCookie('author_information_iv');
return false;
} else {
- $package = serialize(array('username' => $serendipity['POST']['user'],
- 'password' => $serendipity['POST']['pass']));
- serendipity_setCookie('author_information', base64_encode($package));
+ serendipity_issueAutologin(
+ array('username' => $serendipity['POST']['user'],
+ 'password' => $serendipity['POST']['pass']
+ )
+ );
return true;
}
// Now try login via COOKIE data
- } elseif ( isset($serendipity['COOKIE']['author_information']) ) {
- $cookie = unserialize(base64_decode($serendipity['COOKIE']['author_information']));
- if (serendipity_authenticate_author($cookie['username'], $cookie['password'], false, $use_external)) {
+ } elseif (isset($serendipity['COOKIE']['author_information'])) {
+ $cookie = serendipity_checkAutologin($serendipity['COOKIE']['author_information'], $serendipity['COOKIE']['author_information_iv']);
+
+ if (is_array($cookie) && serendipity_authenticate_author($cookie['username'], $cookie['password'], false, $use_external)) {
return true;
} else {
serendipity_deleteCookie('author_information');
+ serendipity_deleteCookie('author_information_iv');
return false;
}
}
}
+/**
+ * Issue a new auto login cookie
+ * @param array The input data
+ */
+function serendipity_issueAutologin($array) {
+ global $serendipity;
+
+ $package = serialize($array);
+
+ if (function_exists('mcrypt_encrypt')) {
+ // Secure the package data when being stored inside the Database
+ $iv = mcrypt_create_iv(mcrypt_get_iv_size(MCRYPT_BLOWFISH, MCRYPT_MODE_CBC), MCRYPT_RAND);
+ $key = base64_encode($iv);
+ $package = mcrypt_encrypt(MCRYPT_BLOWFISH, $key, $package, MCRYPT_MODE_CBC, $iv);
+ serendipity_setCookie('author_information_iv', $key);
+ }
+ $package = base64_encode($package);
+
+ $rnd = md5(time() . $_SERVER['REMOTE_ADDR']);
+
+ // Delete possible current cookie
+ serendipity_db_query("DELETE FROM {$serendipity['dbPrefix']}options WHERE okey = '" . serendipity_db_escape_string($serendipity['COOKIE']['author_information']) . "'");
+
+ // Issue new autologin cookie
+ serendipity_db_query("INSERT INTO {$serendipity['dbPrefix']}options (name, value, okey) VALUES ('" . time() . "', '" . serendipity_db_escape_string($package) . "', '" . $rnd . "')");
+ serendipity_setCookie('author_information', $rnd);
+}
+
+/**
+ * Checks a new auto login cookie
+ * @param array The input data
+ */
+function serendipity_checkAutologin($ident, $iv) {
+ global $serendipity;
+
+ // Fetch login data from DB
+ $autologin = serendipity_db_query("SELECT * FROM {$serendipity['dbPrefix']}options WHERE okey = '" . serendipity_db_escape_string($ident) . "' LIMIT 1", true, 'assoc');
+ if (!is_array($autologin)) {
+ return false;
+ }
+
+ if (function_exists('mcrypt_decrypt') && !empty($iv)) {
+ $key = $iv;
+ $iv = base64_decode($iv);
+ $cookie = unserialize(mcrypt_decrypt(MCRYPT_BLOWFISH, $key, base64_decode($autologin['value']), MCRYPT_MODE_CBC, $iv));
+ } else {
+ $cookie = unserialize(base64_decode($autologin['value']));
+ }
+
+ if ($autologin['name'] < (time()-86400)) {
+ // Issued autologin cookie has been issued more than 1 day ago. Re-Issue new cookie, invalidate old one to prevent abuse
+ serendipity_header('X-ReIssue-Cookie: +' . (time() - $autologin['name']) . 's');
+ serendipity_issueAutologin($cookie);
+ }
+
+ return $cookie;
+}
+
/**
* Perform user authentication routine
*
$uri_addData = array(
'startpage' => false,
- 'uriargs' => implode('/', serendipity_getUriArguments($uri, true))
+ 'uriargs' => implode('/', serendipity_getUriArguments($uri, true)),
+ 'view' => $serendipity['view']
);
if ((empty($uri_addData['uriargs']) || trim($uri_addData['uriargs']) == $serendipity['indexFile']) && empty($serendipity['GET']['subpage'])) {
$uri_addData['startpage'] = true;
function isEmail($email)
{
- $preg = '/^[a-zA-Z0-9-]+([\._a-zA-Z0-9-]+)*@(([a-zA-Z0-9-]+[\.-])+([a-zA-Z]{2,}|museum)|localhost)$/';
+ $preg = '/^[a-zA-Z0-9](([_\.-][a-zA-Z0-9]+)*)@([a-zA-Z0-9]+)(([\.-]?[a-zA-Z0-9]+)*)\.([a-zA-Z]{2,6})|localhost$/';
return (preg_match($preg, $email) != 0);
}
}
if (preg_match(PAT_ARCHIVES, $uri, $matches) || isset($serendipity['GET']['range']) && is_numeric($serendipity['GET']['range'])) {
+ $serendipity['view'] = 'archives';
$_args = $serendipity['uriArguments'];
/* Attempt to locate hidden variables within the URI */
echo $data;
} else if ( preg_match(PAT_COMMENTSUB, $uri, $matches) ||
preg_match(PAT_PERMALINK, $uri, $matches) ) {
+ $serendipity['view'] = 'entry';
$matches[1] = serendipity_searchPermalink($serendipity['permalinkStructure'], $uri, $matches[1], 'entry');
serendipity_rememberComment();
}
print $data;
} elseif (preg_match(PAT_PERMALINK_FEEDCATEGORIES, $uri, $matches) || preg_match(PAT_PERMALINK_FEEDAUTHORS, $uri, $matches) || preg_match(PAT_FEEDS, $uri)) {
+ $serendipity['view'] = 'feed';
header('Content-Type: text/html; charset=utf-8');
if (preg_match('@/(index|atom[0-9]*|rss|comments|opml)\.(rss[0-9]?|rdf|rss|xml|atom)@', $uri, $vmatches)) {
print $data;
exit;
} else if (preg_match(PAT_ADMIN, $uri)) {
+ $serendipity['view'] = 'admin';
$base = $serendipity['baseURL'];
if (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on') {
$base = str_replace('http://', 'https://', $base);
header("Location: {$base}serendipity_admin.php");
exit;
} else if (preg_match(PAT_ARCHIVE, $uri)) {
+ $serendipity['view'] = 'archives';
$serendipity['GET']['action'] = 'archives';
$_args = $serendipity['uriArguments'];
/* Attempt to locate hidden variables within the URI */
include(S9Y_INCLUDE_PATH . 'include/genpage.inc.php');
} else if (preg_match(PAT_PLUGIN, $uri, $matches)) {
+ $serendipity['view'] = 'plugin';
serendipity_plugin_api::hook_event('external_plugin', $matches[2]);
if (!defined('NO_EXIT')) {
exit;
}
} else if ($is_multicat || preg_match(PAT_PERMALINK_CATEGORIES, $uri, $matches)) {
+ $serendipity['view'] = 'categories';
if ($is_multicat) {
$serendipity['GET']['category'] = implode(';', $serendipity['POST']['multiCat']);
include(S9Y_INCLUDE_PATH . 'include/genpage.inc.php');
} else if ($is_multiauth || preg_match(PAT_PERMALINK_AUTHORS, $uri, $matches)) {
+ $serendipity['view'] = 'authors';
+
if ($is_multiauth) {
$serendipity['GET']['viewAuthor'] = implode(';', $serendipity['POST']['multiAuth']);
$serendipity['uriArguments'][] = PATH_AUTHORS;
include(S9Y_INCLUDE_PATH . 'include/genpage.inc.php');
} else if (preg_match(PAT_SEARCH, $uri, $matches)) {
+ $serendipity['view'] = 'search';
$_args = $serendipity['uriArguments'];
/* Attempt to locate hidden variables within the URI */
$serendipity['GET']['searchTerm'] = urldecode(htmlspecialchars(strip_tags(implode(' ', $search))));
include(S9Y_INCLUDE_PATH . 'include/genpage.inc.php');
} elseif (preg_match(PAT_CSS, $uri, $matches)) {
+ $serendipity['view'] = 'css';
$css_mode = $matches[1];
include(S9Y_INCLUDE_PATH . 'serendipity.css.php');
exit;
} else if (preg_match('@/(index(\.php|\.html)?)|'. preg_quote($serendipity['indexFile']) .'@', $uri) ||
preg_match('@^/' . preg_quote(trim($serendipity['serendipityHTTPPath'], '/')) . '/?(\?.*)?$@', $uri)) {
+ $serendipity['view'] = 'start';
+
if ($serendipity['GET']['action'] == 'search') {
$serendipity['uriArguments'] = array(PATH_SEARCH, urlencode($serendipity['GET']['searchTerm']));
} else {
include(S9Y_INCLUDE_PATH . 'include/genpage.inc.php');
} else {
+ $serendipity['view'] = '404';
header('HTTP/1.0 404 Not found');
include(S9Y_INCLUDE_PATH . 'include/genpage.inc.php');
// printf('<div class="serendipity_msg_important">' . DOCUMENT_NOT_FOUND . '</div>', $uri);
}
/* vim: set sts=4 ts=4 expandtab : */
-?>
projects / s9y.git / commitdiff