From: garvinhicking Date: Fri, 19 May 2006 08:52:00 +0000 (+0000) Subject: * New, safer autologin method X-Git-Url: http://git.mjollnir.org/gw?a=commitdiff_plain;h=eb83b3774be81c1f5d80ef8be1d588235dd0d1fe;p=s9y.git * New, safer autologin method * Fix regexp * New "view" smarty parameter --- diff --git a/docs/NEWS b/docs/NEWS index 81e8ca4..464b084 100644 --- a/docs/NEWS +++ b/docs/NEWS @@ -3,6 +3,11 @@ Version 1.1-alpha5() ------------------------------------------------------------------------ + * Changed "Auto-Login" via Cookie behaviour to only issue single- + time valid cookies to users and no longer put username/pw into + serialized cookie data. Many thanks to Yasuo Ohgaki for giving + a helping hand! (garvinhicking) + * Added possibility to hide/temporarily disable Event plugins (garvinhicking) @@ -115,6 +120,11 @@ Version 1.1-alpha5() Version 1.0 () ------------------------------------------------------------------------ + * Add smarty parameter $view which can be used to detect what kind + of page is being displayed. One of: archives, entry, feed, admin, + archives, plugin, categories, authors, search, css, start, 404 + (garvinhicking) + * Change Spartacus plugin to use new SourceForge URLs (garvinhicking) * Added polish language translation by CoSTa diff --git a/include/functions_config.inc.php b/include/functions_config.inc.php index d481c9d..738bb58 100644 --- a/include/functions_config.inc.php +++ b/include/functions_config.inc.php @@ -345,25 +345,88 @@ function serendipity_login($use_external = true) { if (serendipity_authenticate_author($serendipity['POST']['user'], $serendipity['POST']['pass'], false, $use_external)) { if (empty($serendipity['POST']['auto'])) { serendipity_deleteCookie('author_information'); + serendipity_deleteCookie('author_information_iv'); return false; } else { - $package = serialize(array('username' => $serendipity['POST']['user'], - 'password' => $serendipity['POST']['pass'])); - serendipity_setCookie('author_information', base64_encode($package)); + serendipity_issueAutologin( + array('username' => $serendipity['POST']['user'], + 'password' => $serendipity['POST']['pass'] + ) + ); return true; } // Now try login via COOKIE data - } elseif ( isset($serendipity['COOKIE']['author_information']) ) { - $cookie = unserialize(base64_decode($serendipity['COOKIE']['author_information'])); - if (serendipity_authenticate_author($cookie['username'], $cookie['password'], false, $use_external)) { + } elseif (isset($serendipity['COOKIE']['author_information'])) { + $cookie = serendipity_checkAutologin($serendipity['COOKIE']['author_information'], $serendipity['COOKIE']['author_information_iv']); + + if (is_array($cookie) && serendipity_authenticate_author($cookie['username'], $cookie['password'], false, $use_external)) { return true; } else { serendipity_deleteCookie('author_information'); + serendipity_deleteCookie('author_information_iv'); return false; } } } +/** + * Issue a new auto login cookie + * @param array The input data + */ +function serendipity_issueAutologin($array) { + global $serendipity; + + $package = serialize($array); + + if (function_exists('mcrypt_encrypt')) { + // Secure the package data when being stored inside the Database + $iv = mcrypt_create_iv(mcrypt_get_iv_size(MCRYPT_BLOWFISH, MCRYPT_MODE_CBC), MCRYPT_RAND); + $key = base64_encode($iv); + $package = mcrypt_encrypt(MCRYPT_BLOWFISH, $key, $package, MCRYPT_MODE_CBC, $iv); + serendipity_setCookie('author_information_iv', $key); + } + $package = base64_encode($package); + + $rnd = md5(time() . $_SERVER['REMOTE_ADDR']); + + // Delete possible current cookie + serendipity_db_query("DELETE FROM {$serendipity['dbPrefix']}options WHERE okey = '" . serendipity_db_escape_string($serendipity['COOKIE']['author_information']) . "'"); + + // Issue new autologin cookie + serendipity_db_query("INSERT INTO {$serendipity['dbPrefix']}options (name, value, okey) VALUES ('" . time() . "', '" . serendipity_db_escape_string($package) . "', '" . $rnd . "')"); + serendipity_setCookie('author_information', $rnd); +} + +/** + * Checks a new auto login cookie + * @param array The input data + */ +function serendipity_checkAutologin($ident, $iv) { + global $serendipity; + + // Fetch login data from DB + $autologin = serendipity_db_query("SELECT * FROM {$serendipity['dbPrefix']}options WHERE okey = '" . serendipity_db_escape_string($ident) . "' LIMIT 1", true, 'assoc'); + if (!is_array($autologin)) { + return false; + } + + if (function_exists('mcrypt_decrypt') && !empty($iv)) { + $key = $iv; + $iv = base64_decode($iv); + $cookie = unserialize(mcrypt_decrypt(MCRYPT_BLOWFISH, $key, base64_decode($autologin['value']), MCRYPT_MODE_CBC, $iv)); + } else { + $cookie = unserialize(base64_decode($autologin['value'])); + } + + if ($autologin['name'] < (time()-86400)) { + // Issued autologin cookie has been issued more than 1 day ago. Re-Issue new cookie, invalidate old one to prevent abuse + serendipity_header('X-ReIssue-Cookie: +' . (time() - $autologin['name']) . 's'); + serendipity_issueAutologin($cookie); + } + + return $cookie; +} + /** * Perform user authentication routine * diff --git a/include/genpage.inc.php b/include/genpage.inc.php index 5269896..72147da 100644 --- a/include/genpage.inc.php +++ b/include/genpage.inc.php @@ -16,7 +16,8 @@ if (!defined('S9Y_FRAMEWORK_PLUGIN_INTERNAL')) { $uri_addData = array( 'startpage' => false, - 'uriargs' => implode('/', serendipity_getUriArguments($uri, true)) + 'uriargs' => implode('/', serendipity_getUriArguments($uri, true)), + 'view' => $serendipity['view'] ); if ((empty($uri_addData['uriargs']) || trim($uri_addData['uriargs']) == $serendipity['indexFile']) && empty($serendipity['GET']['subpage'])) { $uri_addData['startpage'] = true; diff --git a/include/plugin_api_extension.inc.php b/include/plugin_api_extension.inc.php index 3a1b06c..0e67c29 100644 --- a/include/plugin_api_extension.inc.php +++ b/include/plugin_api_extension.inc.php @@ -120,7 +120,7 @@ class serendipity_plugin_api_extension extends serendipity_plugin_api function isEmail($email) { - $preg = '/^[a-zA-Z0-9-]+([\._a-zA-Z0-9-]+)*@(([a-zA-Z0-9-]+[\.-])+([a-zA-Z]{2,}|museum)|localhost)$/'; + $preg = '/^[a-zA-Z0-9](([_\.-][a-zA-Z0-9]+)*)@([a-zA-Z0-9]+)(([\.-]?[a-zA-Z0-9]+)*)\.([a-zA-Z]{2,6})|localhost$/'; return (preg_match($preg, $email) != 0); } diff --git a/index.php b/index.php index ece13db..1f4833a 100644 --- a/index.php +++ b/index.php @@ -79,6 +79,7 @@ if (isset($serendipity['POST']['isMultiAuth']) && is_array($serendipity['POST'][ } if (preg_match(PAT_ARCHIVES, $uri, $matches) || isset($serendipity['GET']['range']) && is_numeric($serendipity['GET']['range'])) { + $serendipity['view'] = 'archives'; $_args = $serendipity['uriArguments']; /* Attempt to locate hidden variables within the URI */ @@ -218,6 +219,7 @@ if (preg_match(PAT_ARCHIVES, $uri, $matches) || isset($serendipity['GET']['range echo $data; } else if ( preg_match(PAT_COMMENTSUB, $uri, $matches) || preg_match(PAT_PERMALINK, $uri, $matches) ) { + $serendipity['view'] = 'entry'; $matches[1] = serendipity_searchPermalink($serendipity['permalinkStructure'], $uri, $matches[1], 'entry'); serendipity_rememberComment(); @@ -270,6 +272,7 @@ if (preg_match(PAT_ARCHIVES, $uri, $matches) || isset($serendipity['GET']['range } print $data; } elseif (preg_match(PAT_PERMALINK_FEEDCATEGORIES, $uri, $matches) || preg_match(PAT_PERMALINK_FEEDAUTHORS, $uri, $matches) || preg_match(PAT_FEEDS, $uri)) { + $serendipity['view'] = 'feed'; header('Content-Type: text/html; charset=utf-8'); if (preg_match('@/(index|atom[0-9]*|rss|comments|opml)\.(rss[0-9]?|rdf|rss|xml|atom)@', $uri, $vmatches)) { @@ -308,6 +311,7 @@ if (preg_match(PAT_ARCHIVES, $uri, $matches) || isset($serendipity['GET']['range print $data; exit; } else if (preg_match(PAT_ADMIN, $uri)) { + $serendipity['view'] = 'admin'; $base = $serendipity['baseURL']; if (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on') { $base = str_replace('http://', 'https://', $base); @@ -315,6 +319,7 @@ if (preg_match(PAT_ARCHIVES, $uri, $matches) || isset($serendipity['GET']['range header("Location: {$base}serendipity_admin.php"); exit; } else if (preg_match(PAT_ARCHIVE, $uri)) { + $serendipity['view'] = 'archives'; $serendipity['GET']['action'] = 'archives'; $_args = $serendipity['uriArguments']; /* Attempt to locate hidden variables within the URI */ @@ -334,11 +339,13 @@ if (preg_match(PAT_ARCHIVES, $uri, $matches) || isset($serendipity['GET']['range include(S9Y_INCLUDE_PATH . 'include/genpage.inc.php'); } else if (preg_match(PAT_PLUGIN, $uri, $matches)) { + $serendipity['view'] = 'plugin'; serendipity_plugin_api::hook_event('external_plugin', $matches[2]); if (!defined('NO_EXIT')) { exit; } } else if ($is_multicat || preg_match(PAT_PERMALINK_CATEGORIES, $uri, $matches)) { + $serendipity['view'] = 'categories'; if ($is_multicat) { $serendipity['GET']['category'] = implode(';', $serendipity['POST']['multiCat']); @@ -379,6 +386,8 @@ if (preg_match(PAT_ARCHIVES, $uri, $matches) || isset($serendipity['GET']['range include(S9Y_INCLUDE_PATH . 'include/genpage.inc.php'); } else if ($is_multiauth || preg_match(PAT_PERMALINK_AUTHORS, $uri, $matches)) { + $serendipity['view'] = 'authors'; + if ($is_multiauth) { $serendipity['GET']['viewAuthor'] = implode(';', $serendipity['POST']['multiAuth']); $serendipity['uriArguments'][] = PATH_AUTHORS; @@ -416,6 +425,7 @@ if (preg_match(PAT_ARCHIVES, $uri, $matches) || isset($serendipity['GET']['range include(S9Y_INCLUDE_PATH . 'include/genpage.inc.php'); } else if (preg_match(PAT_SEARCH, $uri, $matches)) { + $serendipity['view'] = 'search'; $_args = $serendipity['uriArguments']; /* Attempt to locate hidden variables within the URI */ @@ -441,12 +451,15 @@ if (preg_match(PAT_ARCHIVES, $uri, $matches) || isset($serendipity['GET']['range $serendipity['GET']['searchTerm'] = urldecode(htmlspecialchars(strip_tags(implode(' ', $search)))); include(S9Y_INCLUDE_PATH . 'include/genpage.inc.php'); } elseif (preg_match(PAT_CSS, $uri, $matches)) { + $serendipity['view'] = 'css'; $css_mode = $matches[1]; include(S9Y_INCLUDE_PATH . 'serendipity.css.php'); exit; } else if (preg_match('@/(index(\.php|\.html)?)|'. preg_quote($serendipity['indexFile']) .'@', $uri) || preg_match('@^/' . preg_quote(trim($serendipity['serendipityHTTPPath'], '/')) . '/?(\?.*)?$@', $uri)) { + $serendipity['view'] = 'start'; + if ($serendipity['GET']['action'] == 'search') { $serendipity['uriArguments'] = array(PATH_SEARCH, urlencode($serendipity['GET']['searchTerm'])); } else { @@ -455,6 +468,7 @@ if (preg_match(PAT_ARCHIVES, $uri, $matches) || isset($serendipity['GET']['range include(S9Y_INCLUDE_PATH . 'include/genpage.inc.php'); } else { + $serendipity['view'] = '404'; header('HTTP/1.0 404 Not found'); include(S9Y_INCLUDE_PATH . 'include/genpage.inc.php'); // printf('
' . DOCUMENT_NOT_FOUND . '
', $uri); @@ -484,4 +498,3 @@ if ($global_debug) { } /* vim: set sts=4 ts=4 expandtab : */ -?>