Beispiel #1
0
 /**
  * Load the request key
  * @param object $session session interface
  * @param object $request request object
  * @param bool $just_logged_in true if the session was created on this request
  * @return void
  */
 public static function load($session, $request, $just_logged_in)
 {
     if ($session->is_active() && !$just_logged_in) {
         $user = $session->get('username', false);
     } else {
         $user = '';
     }
     self::$site_hash = $session->build_fingerprint($request->server, $user . SITE_ID);
 }
Beispiel #2
0
 function process_attachments()
 {
     $res = '';
     foreach ($this->attachments as $file) {
         $content = Hm_Crypt::plaintext(@file_get_contents($file['filename']), Hm_Request_Key::generate());
         if ($content) {
             $content = chunk_split(base64_encode($content));
             $res .= sprintf("\r\n--%s\r\nContent-Type: %s; name=\"%s\"\r\nContent-Description: %s\r\n" . "Content-Disposition: attachment; filename=\"%s\"\r\nContent-Transfer-Encoding: base64\r\n\r\n%s", $this->boundary, $file['type'], $file['name'], $file['name'], $file['name'], $content);
         }
     }
     return $res;
 }
Beispiel #3
0
 public function process()
 {
     /* new session or one not passed the second auth */
     if ($this->session->loaded || $this->session->get('2fa_required', false)) {
         /* ini file location */
         $ini_file = rtrim($this->config->get('app_data_dir', ''), '/') . '/swipeidentity.ini';
         /* data for the swipe api */
         $swipe_username = $this->session->get('username', false);
         $swipe_address = $this->request->server['REMOTE_ADDR'];
         $required = true;
         /* get api config and object */
         list($api, $api_config) = setup_swipe_api($ini_file);
         $started = start_api($api, $api_config);
         if (!$started) {
             $this->out('2fa_fatal', true);
         }
         /* get current 2fa state */
         if (!array_key_exists('2fa_sms_response', $this->request->post)) {
             $state = get_secondfactor_state($api, $api_config, $swipe_username, $swipe_address);
         } else {
             $state = RC_SMS_DELIVERED;
         }
         /* pass a key and no redirect flag to the output modules */
         $this->out('no_redirect', true);
         Hm_Request_Key::load($this->session, $this->request, false);
         $this->out('2fa_key', Hm_Request_Key::generate());
         $sms_number = false;
         $sms_response = false;
         /* if the user has not registered a phone number yet look for one in POST */
         if ($state == NEED_REGISTER_SMS && array_key_exists('sms_number', $this->request->post)) {
             /* remove non numeric delimiters */
             $sms_number = preg_replace("/[^\\d]/", "", $this->request->post['sms_number']);
             /* US phone numbers only for now */
             if (preg_match("/^1\\d{10}\$/", $sms_number)) {
                 $submit_number = $sms_number;
                 /* set the phone number using the api */
                 $api->setUserSmsNumber($swipe_username, $api_config["com.swipeidentity.api.appcode"], $submit_number);
                 /* refecth the status */
                 $state = get_secondfactor_state($api, $api_config, $swipe_username, $swipe_address);
                 /* number rejected by swipe */
                 if ($state == NEED_REGISTER_SMS) {
                     $this->out('2fa_error', 'Invalid phone number');
                 }
             } else {
                 $this->out('2fa_error', 'Invalid phone number format');
             }
         } elseif ($state == RC_SMS_DELIVERED && array_key_exists('2fa_sms_response', $this->request->post)) {
             if (preg_match("/^\\d{5}\$/", $this->request->post['2fa_sms_response'])) {
                 $sms_response = $this->request->post['2fa_sms_response'];
                 /* validate the sms response with the api */
                 $resp = $api->answerSMS($swipe_username, $api_config["com.swipeidentity.api.appcode"], $sms_response);
                 /* success! allow the user to login */
                 if ($resp->getReturnCode() == RC_SMS_ANSWER_ACCEPTED) {
                     $required = false;
                 } else {
                     $state = get_secondfactor_state($api, $api_config, $swipe_username, $swipe_address);
                     $this->out('2fa_error', 'Response did not match! A new sms code has been sent');
                 }
             } else {
                 $this->out('2fa_error', 'Incorrectly formatted response, please re-enter the sms code');
             }
         }
         /* if required is true we still have not completed the 2fa */
         if ($required) {
             /* pass required flag to modules */
             $this->session->set('2fa_required', true);
             $this->out('2fa_required', true);
             $this->out('2fa_state', $state);
             /* close the session early */
             $this->session->close_early();
         } else {
             /* unset any previously set required flags */
             $this->session->set('2fa_required', false);
             $this->out('2fa_required', false);
         }
     }
 }
Beispiel #4
0
 /**
  * @preserveGlobalState disabled
  * @runInSeparateProcess
  */
 public function test_process_key()
 {
     /* TODO: fix assertions */
     $session = new Hm_Mock_Session();
     $request = new Hm_Mock_Request('AJAX');
     Hm_Request_Key::load($session, $request, false);
     $request->post = array();
     $this->handler_mod->request->post = array();
     $this->assertFalse($this->handler_mod->process_key());
     $request->post['hm_page_key'] = 'asdf';
     $this->handler_mod->request->post['hm_page_key'] = 'asdf';
     Hm_Request_Key::load($session, $request, false);
     $this->assertEquals('redirect', $this->handler_mod->process_key());
     $this->handler_mod->request->type = 'AJAX';
     $this->assertEquals('exit', $this->handler_mod->process_key());
     $this->handler_mod->request->post['hm_page_key'] = 'fakefingerprint';
     $this->assertFalse($this->handler_mod->process_key());
 }
Beispiel #5
0
 protected function output()
 {
     return '<div class="add_server"><div class="server_title">' . $this->trans('Add') . '</div>' . '<form class="add_contact_form" method="POST">' . '<input type="hidden" name="hm_page_key" value="' . $this->html_safe(Hm_Request_Key::generate()) . '" />' . '<label class="screen_reader" for="contact_email">' . $this->trans('E-mail Address') . '</label>' . '<input autofocus required placeholder="' . $this->trans('E-mail Address') . '" id="contact_email" type="email" name="contact_email" /> *<br />' . '<label class="screen_reader" for="contact_name">' . $this->trans('Full Name') . '</label>' . '<input required placeholder="' . $this->trans('Full Name') . '" id="contact_name" type="text" name="contact_name" /> *<br />' . '<label class="screen_reader" for="contact_phone">' . $this->trans('Telephone Number') . '</label>' . '<input placeholder="' . $this->trans('Telephone Number') . '" id="contact_phone" type="text" name="contact_phone" /><br />' . '<input class="add_contact_submit" type="submit" name="add_contact" value="' . $this->trans('Add') . '" />' . '</form></div>';
 }
Beispiel #6
0
 protected function output()
 {
     $email = '';
     $name = '';
     $phone = '';
     $button = '<input class="add_contact_submit" type="submit" name="add_contact" value="' . $this->trans('Add') . '" />';
     $title = $this->trans('Add Local Contact');
     $current = $this->get('current_contact', array());
     if (!empty($current)) {
         if (array_key_exists('email_address', $current)) {
             $email = $current['email_address'];
         }
         if (array_key_exists('display_name', $current)) {
             $name = $current['display_name'];
         }
         if (array_key_exists('phone_number', $current)) {
             $phone = $current['phone_number'];
         }
         $title = $this->trans('Update Local Contact');
         $button = '<input type="hidden" name="contact_id" value="' . $this->html_safe($current['id']) . '" />' . '<input class="edit_contact_submit" type="submit" name="edit_contact" value="' . $this->trans('Update') . '" />';
     }
     return '<div class="add_server"><div class="server_title">' . $title . '</div>' . '<form class="add_contact_form" method="POST">' . '<input type="hidden" name="hm_page_key" value="' . $this->html_safe(Hm_Request_Key::generate()) . '" />' . '<label class="screen_reader" for="contact_email">' . $this->trans('E-mail Address') . '</label>' . '<input autofocus required placeholder="' . $this->trans('E-mail Address') . '" id="contact_email" type="email" name="contact_email" ' . 'value="' . $this->html_safe($email) . '" /> *<br />' . '<label class="screen_reader" for="contact_name">' . $this->trans('Full Name') . '</label>' . '<input required placeholder="' . $this->trans('Full Name') . '" id="contact_name" type="text" name="contact_name" ' . 'value="' . $this->html_safe($name) . '" /> *<br />' . '<label class="screen_reader" for="contact_phone">' . $this->trans('Telephone Number') . '</label>' . '<input placeholder="' . $this->trans('Telephone Number') . '" id="contact_phone" type="text" name="contact_phone" ' . 'value="' . $this->html_safe($phone) . '" /><br />' . $button . ' <input type="button" class="reset_contact" value="' . $this->trans('Reset') . '" /></form></div>';
 }
Beispiel #7
0
 /**
  * Build HTML for configured POP3 servers on the servers page
  */
 protected function output()
 {
     $res = '';
     foreach ($this->get('pop3_servers', array()) as $index => $vals) {
         $no_edit = false;
         if (isset($vals['user'])) {
             $disabled = 'disabled="disabled"';
             $user_pc = $vals['user'];
             $pass_pc = $this->trans('[saved]');
         } else {
             $user_pc = '';
             $pass_pc = $this->trans('Password');
             $disabled = '';
         }
         if ($vals['name'] == 'Default-Auth-Server') {
             $vals['name'] = $this->trans('Default');
             $no_edit = true;
         }
         $res .= '<div class="configured_server">';
         $res .= sprintf('<div class="server_title">%s</div><div class="server_subtitle">%s/%d %s</div>', $this->html_safe($vals['name']), $this->html_safe($vals['server']), $this->html_safe($vals['port']), $vals['tls'] ? 'TLS' : '');
         $res .= '<form class="pop3_connect" method="POST">' . '<input type="hidden" name="hm_page_key" value="' . $this->html_safe(Hm_Request_Key::generate()) . '" />' . '<input type="hidden" name="pop3_server_id" value="' . $this->html_safe($index) . '" /><span> ' . '<label class="screen_reader" for="pop3_user_' . $index . '">' . $this->trans('POP3 username') . '</label>' . '<input ' . $disabled . ' id="pop3_user_' . $index . '" class="credentials" placeholder="' . $this->trans('Username') . '" type="text" name="pop3_user" value="' . $user_pc . '"></span>' . '<span> <label class="screen_reader" for="pop3_password_' . $index . '">' . $this->trans('POP3 password') . '</label>' . '<input ' . $disabled . ' id="pop3_password_' . $index . '" class="credentials pop3_password" placeholder="' . $pass_pc . '" type="password" name="pop3_pass"></span>';
         if (!$no_edit) {
             $res .= '<input type="submit" value="Test" class="test_pop3_connect" />';
             if (!isset($vals['user']) || !$vals['user']) {
                 $res .= '<input type="submit" value="' . $this->trans('Delete') . '" class="delete_pop3_connection" />';
                 $res .= '<input type="submit" value="' . $this->trans('Save') . '" class="save_pop3_connection" />';
             } else {
                 $res .= '<input type="submit" value="' . $this->trans('Delete') . '" class="delete_pop3_connection" />';
                 $res .= '<input type="submit" value="' . $this->trans('Forget') . '" class="forget_pop3_connection" />';
             }
             $res .= '<input type="hidden" value="ajax_pop3_debug" name="hm_ajax_hook" />';
         }
         $res .= '</form></div>';
     }
     $res .= '<br class="clear_float" /></div></div>';
     return $res;
 }
Beispiel #8
0
 protected function output()
 {
     if ($this->format == 'HTML5') {
         $count = count($this->get('feeds', array()));
         $count = sprintf($this->trans('%d configured'), $count);
         return '<div class="feed_server_setup"><div data-target=".feeds_section" class="server_section">' . '<img alt="" src="' . Hm_Image_Sources::$rss . '" width="16" height="16" />' . ' ' . $this->trans('Feeds') . ' <div class="server_count">' . $count . '</div></div><div class="feeds_section"><form class="add_server" method="POST">' . '<input type="hidden" name="hm_page_key" value="' . $this->html_safe(Hm_Request_Key::generate()) . '" />' . '<div class="subtitle">' . $this->trans('Add an RSS/ATOM Feed') . '</div><table>' . '<tr><td><label class="screen_reader" for="new_feed_name">' . $this->trans('Feed name') . '</label>' . '<input required type="text" id="new_feed_name" name="new_feed_name" class="txt_fld" value="" placeholder="' . $this->trans('Feed name') . '" /></td></tr>' . '<tr><td><label for="new_feed_address" class="screen_reader">' . $this->trans('Site address or feed URL') . '</label>' . '<input required type="url" id="new_feed_address" name="new_feed_address" class="txt_fld" placeholder="' . $this->trans('Site address or feed URL') . '" value="" /></td></tr>' . '<tr><td><input type="submit" value="' . $this->trans('Add') . '" name="submit_feed" /></td></tr>' . '</table></form>';
     }
 }
Beispiel #9
0
 protected function output()
 {
     $details = $this->get('github_connect_details', array());
     $res = '<div class="github_connect"><div data-target=".github_connect_section" class="server_section">' . '<img src="' . Hm_Image_Sources::$code . '" alt="" width="16" height="16" /> ' . $this->trans('Github Connect') . '</div><div class="github_connect_section"><div class="add_server">';
     if (empty($details)) {
         $res .= 'Connect to Github<br /><br />';
         $res .= '<a href="' . $this->get('github_auth_url', '') . '">' . $this->trans('Enable') . '</a></div></div>';
     } else {
         $res .= $this->trans('Already connected');
         $res .= '<br /><form method="POST">';
         $res .= '<input type="hidden" name="hm_page_key" value="' . $this->html_safe(Hm_Request_Key::generate()) . '" />';
         $res .= '<input type="submit" name="github_disconnect" class="github_disconnect" value="' . $this->trans('Disconnect') . '" />';
         $res .= '</form>';
     }
     return $res . '</div>';
 }
Beispiel #10
0
 /**
  * Outputs save form
  */
 protected function output()
 {
     $changed = $this->get('changed_settings', array());
     $res = '<div class="save_settings_page"><div class="content_title">' . $this->trans('Save Settings') . '</div>';
     $res .= '<div class="save_details">' . $this->trans('Settings are not saved permanently on the server unless you explicitly allow it. ' . 'If you don\'t save your settings, any changes made since you last logged in will be deleted when your ' . 'session expires or you logout. You must re-enter your password for security purposes to save your settings ' . 'permanently.');
     $res .= '<div class="save_subtitle">' . $this->trans('Unsaved Changes') . '</div>';
     $res .= '<ul class="unsaved_settings">';
     if (!empty($changed)) {
         $changed = array_count_values($changed);
         foreach ($changed as $change => $num) {
             $res .= '<li>' . $this->trans($change) . ' (' . $this->html_safe($num) . 'X)</li>';
         }
     } else {
         $res .= '<li>' . $this->trans('No changes need to be saved') . '</li>';
     }
     $res .= '</ul></div><div class="save_perm_form"><form method="post">' . '<input type="hidden" name="hm_page_key" value="' . $this->html_safe(Hm_Request_Key::generate()) . '" />' . '<label class="screen_reader" for="password">Password</label><input required id="password" ' . 'name="password" class="save_settings_password" type="password" placeholder="' . $this->trans('Password') . '" />' . '<input class="save_settings" type="submit" name="save_settings_permanently" value="' . $this->trans('Save') . '" />' . '<input class="save_settings" type="submit" name="save_settings_permanently_then_logout" value="' . $this->trans('Save and Logout') . '" />' . '</form></div>';
     $res .= '</div>';
     return $res;
 }
Beispiel #11
0
 /**
  * @preserveGlobalState disabled
  * @runInSeparateProcess
  */
 public function test_key_validate()
 {
     $this->assertTrue(Hm_Request_Key::validate('fakefingerprint'));
 }
Beispiel #12
0
 protected function output()
 {
     $res = '';
     if ($this->get('internal_users')) {
         $res .= '<div class="chg_pass_page"><div class="content_title">' . $this->trans('Change Password') . '</div>' . '<div class="change_pass"><form method="POST">' . '<input type="hidden" name="hm_page_key" value="' . Hm_Request_Key::generate() . '" />' . '<label class="screen_reader" for="new_pass1">' . $this->trans('New password') . '</label>' . '<input required type="password" id="new_pass1" name="new_pass1" placeholder="' . $this->trans('New password') . '" /><br />' . '<label class="screen_reader" for="new_pass2">' . $this->trans('New password again') . '</label>' . '<input required type="password" id="new_pass2" name="new_pass2" placeholder="' . $this->trans('New password again') . '" /><br />' . '<label class="screen_reader" for="old_pass">' . $this->trans('Current password') . '</label>' . '<input required type="password" id="old_pass" name="old_pass" placeholder="' . $this->trans('Current password') . '" /><br />' . '<input type="submit" name="change_password" value="' . $this->trans('Update') . '" />';
         $res .= '</form></div></div>';
     }
     return $res;
 }
Beispiel #13
0
 protected function output()
 {
     $details = $this->get('wp_connect_details', array());
     $res = '<div class="wordpress_connect"><div data-target=".wordpress_connect_section" class="server_section">' . '<img src="' . Hm_Image_Sources::$key . '" alt="" width="16" height="16" /> ' . $this->trans('WordPress.com Connect') . '</div><div class="wordpress_connect_section">';
     if (empty($details)) {
         $res .= 'Connect to WordPress.com to view notifications and posts.<br /><br />';
         $res .= '<a href="' . $this->get('wp_auth_url', '') . '">' . $this->trans('Enable') . '</a></div></div>';
     } else {
         $res .= $this->trans('Already connected');
         $res .= '<br /><form method="POST">';
         $res .= '<input type="hidden" name="hm_page_key" value="' . $this->html_safe(Hm_Request_Key::generate()) . '" />';
         $res .= '<input type="submit" name="wp_disconnect" class="wp_disconnect" value="' . $this->trans('Disconnect') . '" />';
         $res .= '</form></div></div>';
     }
     return $res;
 }
Beispiel #14
0
 /**
  * Destroy a session for good
  * @param object $request request details
  * @return void
  */
 public function destroy($request)
 {
     if (function_exists('delete_uploaded_files')) {
         delete_uploaded_files($this);
     }
     if ($this->dbh) {
         $sql = $this->dbh->prepare("delete from hm_user_session where hm_id=?");
         $sql->execute(array($this->session_key));
     }
     $this->secure_cookie($request, $this->cname, '', time() - 3600);
     $this->secure_cookie($request, 'hm_id', '', time() - 3600);
     $this->active = false;
     Hm_Request_Key::load($this, $request, false);
 }
Beispiel #15
0
 /**
  * Perform a new login if the form was submitted, otherwise check for and continue a session if it exists
  */
 public function process()
 {
     if (!$this->get('create_username', false)) {
         list($success, $form) = $this->process_form(array('username', 'password'));
         if ($success) {
             $this->session->check($this->request, rtrim($form['username']), $form['password']);
             $this->session->set('username', rtrim($form['username']));
         } else {
             $this->session->check($this->request);
         }
         if ($this->session->is_active()) {
             Hm_Page_Cache::load($this->session);
             $this->out('changed_settings', $this->session->get('changed_settings', array()), false);
         }
     }
     Hm_Request_Key::load($this->session, $this->request, $this->session->loaded);
     $this->process_key();
 }
Beispiel #16
0
 /**
  * Validate a form key. If this is a non-empty POST form from an
  * HTTP request or AJAX update, it will take the user to the home
  * page if the page_key value is either not present or not valid
  * @return void
  */
 public function process_key()
 {
     if (empty($this->request->post)) {
         return false;
     }
     $key = array_key_exists('hm_page_key', $this->request->post) ? $this->request->post['hm_page_key'] : false;
     $valid = Hm_Request_Key::validate($key);
     if (!$valid) {
         if ($this->request->type == 'AJAX') {
             if (DEBUG_MODE) {
                 Hm_Debug::add('REQUEST KEY check failed');
                 Hm_Debug::load_page_stats();
                 Hm_Debug::show('log');
             }
             Hm_Functions::cease(json_encode(array('status' => 'not callable')));
             return 'exit';
         } else {
             if ($this->session->loaded) {
                 $this->session->destroy($this->request);
             }
             Hm_Debug::add('REQUEST KEY check failed');
             Hm_Dispatch::page_redirect('?page=home');
             return 'redirect';
         }
     }
     return false;
 }
Beispiel #17
0
 /**
  * Build the HTML for the add server dialog
  */
 protected function output()
 {
     $count = count($this->get('imap_servers', array()));
     $count = sprintf($this->trans('%d configured'), $count);
     return '<div class="imap_server_setup"><div data-target=".imap_section" class="server_section">' . '<img alt="" src="' . Hm_Image_Sources::$env_closed . '" width="16" height="16" />' . ' ' . $this->trans('IMAP Servers') . '<div class="server_count">' . $count . '</div></div><div class="imap_section"><form class="add_server" method="POST">' . '<input type="hidden" name="hm_page_key" value="' . $this->html_safe(Hm_Request_Key::generate()) . '" />' . '<div class="subtitle">' . $this->trans('Add an IMAP Server') . '</div><table>' . '<tr><td colspan="2"><label class="screen_reader" for="new_imap_name">' . $this->trans('Account name') . '</label>' . '<input id="new_imap_name" required type="text" name="new_imap_name" class="txt_fld" value="" placeholder="' . $this->trans('Account name') . '" /></td></tr>' . '<tr><td colspan="2"><label class="screen_reader" for="new_imap_address">' . $this->trans('Server address') . '</label>' . '<input required type="text" id="new_imap_address" name="new_imap_address" class="txt_fld" placeholder="' . $this->trans('IMAP server address') . '" value=""/></td></tr>' . '<tr><td colspan="2"><label class="screen_reader" for="new_imap_port">' . $this->trans('IMAP port') . '</label>' . '<input required type="number" id="new_imap_port" name="new_imap_port" class="port_fld" value="" placeholder="' . $this->trans('Port') . '"></td></tr>' . '<tr><td colspan="2"><input type="checkbox" id="new_imap_hidden" name="new_imap_hidden" class="" value="1">' . '<label for="new_imap_hidden">' . $this->trans('Hide From Combined Pages') . '</label></td></tr>' . '<tr><td><input type="checkbox" name="tls" value="1" id="imap_tls" checked="checked" /> <label for="imap_tls">' . $this->trans('Use TLS') . '</label></td>' . '<td><input type="submit" value="' . $this->trans('Add') . '" name="submit_imap_server" /></td></tr>' . '</table></form>';
 }