From 0ba9f5d68af4252f5dbf3d35475ebaf4fe7ce027 Mon Sep 17 00:00:00 2001 From: ethem Date: Wed, 29 Nov 2006 11:05:56 +0000 Subject: [PATCH] + More more more security. * Don't show login name, password and transaction key at the configuration page. * RC4Encrypt these fields and move to the config_plugins table from the config table. * Config page is fully https. --- enrol/authorize/authorizenetlib.php | 9 ++++--- enrol/authorize/config_form.php | 23 ++++++++--------- enrol/authorize/db/upgrade.php | 27 ++++++++++++++++++++ enrol/authorize/enrol.php | 39 ++++++++++++++++------------- enrol/authorize/version.php | 2 +- lang/en_utf8/enrol_authorize.php | 3 ++- 6 files changed, 67 insertions(+), 36 deletions(-) diff --git a/enrol/authorize/authorizenetlib.php b/enrol/authorize/authorizenetlib.php index 48d586a5ec..a507528738 100644 --- a/enrol/authorize/authorizenetlib.php +++ b/enrol/authorize/authorizenetlib.php @@ -97,21 +97,22 @@ function authorize_action(&$order, &$message, &$extra, $action=AN_ACTION_NONE, $ static $conststring; if (!isset($conststring)) { + $mconfig = get_config('enrol/authorize'); $constdata = array( 'x_version' => '3.1', 'x_delim_data' => 'True', 'x_delim_char' => AN_DELIM, 'x_encap_char' => AN_ENCAP, 'x_relay_response' => 'FALSE', - 'x_login' => $CFG->an_login + 'x_login' => urlencode(rc4decrypt($mconfig->an_login)) ); $str = ''; foreach($constdata as $ky => $vl) { $str .= $ky . '=' . urlencode($vl) . '&'; } - $str .= (!empty($CFG->an_tran_key)) ? - 'x_tran_key=' . urlencode($CFG->an_tran_key): - 'x_password=' . urlencode($CFG->an_password); + $str .= (!empty($mconfig->an_tran_key)) ? + 'x_tran_key=' . urlencode(rc4decrypt($mconfig->an_tran_key)): + 'x_password=' . urlencode(rc4decrypt($mconfig->an_password)); $conststring = $str; $str = ''; diff --git a/enrol/authorize/config_form.php b/enrol/authorize/config_form.php index 87f8e0ac8c..97b7c5a0a6 100755 --- a/enrol/authorize/config_form.php +++ b/enrol/authorize/config_form.php @@ -84,37 +84,34 @@ if (!isset($frm->acceptechecktypes)) {

- an_login: -
- +    + - # #  - + an_login:
an_login)) ? ''.get_string('ok').'' : ''; ?> +
* - an_tran_key: - #1
- + an_tran_key:
an_tran_key)) ? ''.get_string('ok').'' : ''; ?> +
#1 - an_password: - #2
-
() + an_password:
an_password)) ? ''.get_string('ok').'' : ''; ?> +
#2 delete_current: delete_current)) ?>
-

+
an_referer: -
+
diff --git a/enrol/authorize/db/upgrade.php b/enrol/authorize/db/upgrade.php index 214f7262fb..5a4ec88831 100644 --- a/enrol/authorize/db/upgrade.php +++ b/enrol/authorize/db/upgrade.php @@ -32,6 +32,33 @@ function xmldb_enrol_authorize_upgrade($oldversion=0) { } } + if ($result && $oldversion < 2006112900) { + if (isset($CFG->an_login)) { + if (empty($CFG->an_login)) { + unset_config('an_login'); + } + else { + $result = $result && set_config('an_login', rc4encrypt($CFG->an_login), 'enrol/authorize') && unset_config('an_login'); + } + } + if (isset($CFG->an_tran_key)) { + if (empty($CFG->an_tran_key)) { + unset_config('an_tran_key'); + } + else { + $result = $result && set_config('an_tran_key', rc4encrypt($CFG->an_tran_key), 'enrol/authorize') && unset_config('an_tran_key'); + } + } + if (isset($CFG->an_password)) { + if (empty($CFG->an_password)) { + unset_config('an_password'); + } + else { + $result = $result && set_config('an_password', rc4encrypt($CFG->an_password), 'enrol/authorize') && unset_config('an_password'); + } + } + } + return $result; } diff --git a/enrol/authorize/enrol.php b/enrol/authorize/enrol.php index f2cc02a563..c32e22c9e3 100755 --- a/enrol/authorize/enrol.php +++ b/enrol/authorize/enrol.php @@ -405,6 +405,7 @@ class enrolment_plugin_authorize function config_form($frm) { global $CFG; + $mconfig = get_config('enrol/authorize'); if (! check_openssl_loaded()) { notify('PHP must be compiled with SSL support (--with-openssl)'); @@ -427,7 +428,6 @@ class enrolment_plugin_authorize $captureday = intval($frm->an_capture_day); $emailexpired = intval($frm->an_emailexpired); if ($captureday > 0 || $emailexpired > 0) { - $mconfig = get_config('enrol/authorize'); if ((time() - intval($mconfig->an_lastcron) > 3600 * 24)) { notify(get_string('admincronsetup', 'enrol_authorize')); } @@ -442,10 +442,10 @@ class enrolment_plugin_authorize } if (data_submitted()) { - if (empty($frm->an_login)) { + if (empty($mconfig->an_login)) { notify("an_login required"); } - if (empty($frm->an_tran_key) && empty($frm->an_password)) { + if (empty($mconfig->an_tran_key) && empty($mconfig->an_password)) { notify("an_tran_key or an_password required"); } } @@ -464,6 +464,7 @@ class enrolment_plugin_authorize function process_config($config) { global $CFG; + $mconfig = get_config('enrol/authorize'); // site settings if (($cost = optional_param('enrol_cost', 5, PARAM_INT)) > 0) { @@ -502,7 +503,6 @@ class enrolment_plugin_authorize $emailexpired = ($emailexpired > 5) ? 5 : (($emailexpired < 0) ? 0 : $emailexpired); if (!empty($reviewval) && ($captureday > 0 || $emailexpired > 0)) { - $mconfig = get_config('enrol/authorize'); if (time() - intval($mconfig->an_lastcron) > 3600 * 24) { return false; } @@ -520,30 +520,35 @@ class enrolment_plugin_authorize return false; } - // required fields + // REQUIRED fields; + // an_login $loginval = optional_param('an_login', ''); - if (empty($loginval)) { + if (empty($loginval) && empty($mconfig->an_login)) { return false; } - set_config('an_login', $loginval); + $loginval = !empty($loginval) ? rc4encrypt($loginval) : strval($mconfig->an_login); + set_config('an_login', $loginval, 'enrol/authorize'); + // an_tran_key, an_password $tranval = optional_param('an_tran_key', ''); + $tranval = !empty($tranval) ? rc4encrypt($tranval) : (isset($mconfig->an_tran_key)?$mconfig->an_tran_key:''); $passwordval = optional_param('an_password', ''); - $deletecurrent = optional_param('delete_current', ''); - - if (!empty($passwordval)) { // password is changing - set_config('an_password', $passwordval); + $passwordval = !empty($passwordval) ? rc4encrypt($passwordval) :(isset($mconfig->an_password)?$mconfig->an_password:''); + $deletecurrent = optional_param('delete_current', '0', PARAM_BOOL); + if (!empty($deletecurrent) and !empty($tranval)) { + unset_config('an_password', 'enrol/authorize'); + $passwordval = ''; } - elseif (!empty($deletecurrent) and !empty($tranval)) { - set_config('an_password', ''); - $CFG->an_password = ''; + elseif (!empty($passwordval)) { + set_config('an_password', $passwordval, 'enrol/authorize'); } - - if (empty($tranval) and empty($CFG->an_password)) { + if (empty($tranval) and empty($passwordval)) { return false; } + if (!empty($tranval)) { + set_config('an_tran_key', $tranval, 'enrol/authorize'); + } - set_config('an_tran_key', $tranval); return true; } diff --git a/enrol/authorize/version.php b/enrol/authorize/version.php index 5fb02e57ab..4b8f6c9464 100755 --- a/enrol/authorize/version.php +++ b/enrol/authorize/version.php @@ -1,6 +1,6 @@ version = 2006111700; +$plugin->version = 2006112900; $plugin->requires = 2006100401; ?> diff --git a/lang/en_utf8/enrol_authorize.php b/lang/en_utf8/enrol_authorize.php index ed4cd794ff..27307b1657 100644 --- a/lang/en_utf8/enrol_authorize.php +++ b/lang/en_utf8/enrol_authorize.php @@ -1,5 +1,5 @@
Please ensure that you have turned url\">loginhttps ON in Admin >> Variables >> Security.

Turning this on will make Moodle use a secure https connection just for the login and payment pages.'; +$string['logininfo'] = 'Login name, password and transaction key aren\'t shown due to security measure. There is no need to enter again if you have configured these fields before. You see a green text near the field if some fields were configured. If you enter first time these fields, the login name (*) is required and you must enter either the transaction key (#1) or the password (#2) in the appropriate box. We recommend you enter the transaction key due to more security measure. If you want to delete the current password tick the checkbox.'; $string['methodcc'] = 'Credit Card'; $string['methodecheck'] = 'eCheck (ACH)'; $string['missingaba'] = 'Missing ABA number'; -- 2.39.5