public function testNonceDoesntEverMatch()
{
$this->assertNotEmpty(nonce());
$i = 30;
while ($i--) {
$this->assertNotEquals(nonce(), nonce());
}
}
public function testPostEmailReturnsErrorOnUnmatchableEmailAndNinjaName()
{
$req = Request::create('/resetpassword.php');
$req->setMethod('POST');
$req->query->set('email', 'unmatchable@' . nonce() . 'com');
$req->query->set('ninja_name', 'nomatch' . nonce());
$controller = new PasswordController();
$response = $controller->postEmail($req);
$this->assertTrue($response instanceof RedirectResponse);
$this->assertTrue(strpos($response->getTargetUrl(), url('unable to find a matching account')) !== false, 'Url Redirection did not contain expected error string');
}
<?php
$resp = \shgysk8zer0\Core\JSON_Response::load();
switch ($_POST['action']) {
case 'logout':
$login->logout();
$session->destroy();
$session = new \shgysk8zer0\Core\Session();
nonce();
$resp->enable('#main_menu menuitem[label=Login]')->disable('#main_menu menuitem[label=Logout]')->attributes('body > main', 'contextmenu', false)->sessionStorage('nonce', $session->nonce)->notify('User has been logged out', 'Login again to make changes.', 'images/icons/people.png');
break;
case 'Clear PHP_errors':
require_login('admin');
$DB->resetTable('errors');
file_put_contents(BASE . '/errors.log', null, LOCK_EX);
$resp->notify('Success!', "Table (PHP_errors) has been reset", 'images/icons/db.png');
break;
case 'restore database':
require_login('admin');
$connect = \shgysk8zer0\Core\resources\Parser::parseFile('connect.json');
$DB->restore($connect->database) ? $resp->notify('Success', "The database has been restored from {$connect->database}.sql", 'images/icons/db.png')->reload() : $resp->notify('Failed', "There was a problem restoring from {$connect->database}.sql", 'images/icons/db.png');
break;
case 'backup database':
require_login('admin');
$connect = \shgysk8zer0\Core\resources\Parser::parseFile('connect.json');
$DB->dump() ? $resp->notify('Success', "The database has been backed up to {$connect->database}.sql", 'images/icons/db.png') : $resp->notify("Unable to backup to {$connect->database}.sql", 'Check file permissions', 'images/icons/db.png');
break;
case 'update_sitemap':
require_login('admin');
update_sitemap();
$resp->notify('Sitemap has been updated', 'View ' . URL . 'sitemap.xml', 'images/icons/db.png');
/**
* Verify a nonce, given the seed that was used to produce it.
* @param string $seed
* @param string $nonce
* @return int the number of nonce splits ago that the nonce was generated, up to NONCE_LIFESPAN / NONCE_SPLIT;
* use verify_nonce($seed, $nonce) === 1 for the shortest period, use verify_nonce($seed, $nonce) == true
* to validate the nonce within the entire NONCE_LIFESPAN (e.g., 24 hours)
*/
function verify_nonce($seed = null, $nonce, $onetime = false)
{
if ($onetime) {
if (!isset($_COOKIE[nonce($seed)])) {
return false;
} else {
$seed .= $_COOKIE[nonce($seed)];
}
}
$seed .= session_id();
// get the current nonce tick
$tick = _nonce_tick();
for ($i = 0; $i < config('nonce.split', 24); $i++) {
if (substr(hash_hmac('md5', $seed . ($tick - $i), config('auth.salt')), -12, 10) == $nonce) {
return $i + 1;
}
}
// Invalid nonce
return false;
}
function valid_nonce($str, $key)
{
return $key == nonce($str);
}
/**
* Generate a full password reset request for an account
*
* @param Account $account
* @return PasswordResetRequest
*/
public static function generate(Account $account, $nonce = null)
{
$nonce = $nonce !== null ? $nonce : nonce();
return PasswordResetRequest::create(['_account_id' => $account->id(), 'nonce' => $nonce]);
}
if ($sent) {
$_SESSION['alert'] = "password_sent";
} else {
$alert[] = "email_fail_forgot_password_" . $_POST['login_email'];
}
} else {
if ($_POST['login_password']) {
// Check that the password is correct
$hasher = new PasswordHash(8, FALSE);
if ($hasher->CheckPassword($_POST['login_password'], $row["password"])) {
// Check to ensure that user is only online once (USE IP ADDRESS)
$_SESSION['cms_user_id'] = $row["id"];
// If user would like to "Remember Me" then store token
if ($_POST['remember_me'] == 'true') {
// Generate a new user token
$token = nonce();
$sth2 = $dbh->prepare("UPDATE `directus_users` SET `token` = :token WHERE `id` = :id ");
$sth2->bindParam(':token', $token);
$sth2->bindParam(':id', $row["id"]);
$sth2->execute();
setcookie("token", $token, time() + 60 * $settings['cms']['cookie_life'], CMS_PATH);
}
// Redirect to where you last were or the homepage
if (file_exists('install.php')) {
$_SESSION['alert'] = unlink('install.php') ? "installer_removed" : "installer_remove_manual";
header("Location: " . CMS_INSTALL_PATH . "settings.php");
die;
} elseif ($_COOKIE['cms_redirect']) {
// The installer should no longer be present
if (file_exists('install.php')) {
$_SESSION['alert'] = "remove_install";
