public static function createSalt($length = 32, $add_entropy = null, $do_secure = true) { if (@(include_once 'sources/csprng/support/random.php' !== false && $do_secure)) { // Do this cryptographically securely try { $rng = new CSPRNG(); $salt = $rng->GenerateString($length); } catch (Exception $e) { // run this again, not securely to escape the error self::createSalt($length, $add_entropy, false); } } else { // Don't give up the ghost, try something that's not quite as good $id1 = uniqid(mt_rand(), true); $id2 = md5(date('dDjlSwzWFmMntLYayABgGhiHsOZ')); $id3 = crc32(self::curPageURL()); $charset = "!@#~`%^&*()-_+={}|[]:;'<>?,./"; $repeats = rand(0, 64); $i = 0; $csl = strlen($charset); while ($i < $repeats) { $pos = rand(0, $csl - 1); $id4 = substr($charset, $pos, 1); ++$i; } $salt = sha1($id2 . $id1 . $id3 . $id4 . $add_entropy); // add extra entropy if provided. $len = strlen($salt); if ($length > $len) { $length = $len; } $diff = strlen($salt) - $length; $offset = rand(0, $diff); $salt = substr($salt, $offset, $length); } return $salt; }
if (!isset($protectedfields[$key]) || !$protectedfields[$key]) { $userinfo[$key] = isset($_REQUEST["field_edit_" . md5($key)]) ? $_REQUEST["field_edit_" . md5($key)] : ""; } } if (function_exists("AdminHook_EditUser_PostFieldsCheck")) { AdminHook_EditUser_PostFieldsCheck(); } if ($sso_site_admin && isset($_REQUEST["impersonation"])) { if (!(int) $_REQUEST["impersonation"]) { unset($userinfo["sso__impersonation"]); unset($userinfo["sso__impersonation_key"]); unset($userinfo["sso__impersonation_auto"]); } else { if (!isset($userinfo["sso__impersonation"])) { $userinfo["sso__impersonation"] = "1"; $userinfo["sso__impersonation_key"] = $sso_rng->GenerateString(64); $userinfo["sso__impersonation_auto"] = "0"; } if (isset($_REQUEST["reset_impersonation_key"]) && $_REQUEST["reset_impersonation_key"] == "yes") { $userinfo["sso__impersonation_key"] = $sso_rng->GenerateString(64); } if (isset($_REQUEST["impersonation_auto"])) { $userinfo["sso__impersonation_auto"] = (string) (int) $_REQUEST["impersonation_auto"]; } } } $info2 = SSO_CreateEncryptedUserInfo($userinfo); $sso_db->Query("UPDATE", array($sso_db_users, array("version" => (int) $_REQUEST["version"], "info" => serialize($userinfo), "info2" => $info2), "WHERE" => "id = ?"), $row->id); if ($sso_site_admin && $_REQUEST["tag_id"] != "" && $_REQUEST["tag_reason"] != "") { try { $sso_db->Query("INSERT", array($sso_db_user_tags, array("user_id" => $row->id, "tag_id" => (int) $_REQUEST["tag_id"], "issuer_id" => $sso_user_id, "reason" => $_REQUEST["tag_reason"], "created" => CSDB::ConvertToDBTime(time()))));
$seed = $rng->GenerateToken(128); if ($seed === false) { InstallError("Seed generation failed."); } define("SSO_BASE_RAND_SEED" . ($x ? $x + 1 : ""), $seed); } define("SSO_USE_LESS_SAFE_STORAGE", $_REQUEST["sso_use_less_safe_storage"] == "yes"); // Connect to the database server. $databases = SSO_GetSupportedDatabases(); $dbtype = (string) $_REQUEST["db_select"]; if (!isset($databases[$dbtype])) { InstallError("Please select a database server."); } if ($_REQUEST["db_dsn"] == "") { $dsn = $databases[$dbtype]["default_dsn"]; $dsn = str_replace("@RANDOM@", $rng->GenerateString(), $dsn); $dsn = str_replace("@PATH@", str_replace("\\", "/", dirname(__FILE__)), $dsn); $_REQUEST["db_dsn"] = $dsn; } require_once "support/csdb/db_" . $dbtype . ".php"; $dbclassname = "CSDB_" . $dbtype; try { $db = new $dbclassname($dbtype . ":" . $_REQUEST["db_dsn"], $databases[$dbtype]["login"] ? $_REQUEST["db_user"] : false, $databases[$dbtype]["login"] ? $_REQUEST["db_pass"] : false); if ($_REQUEST["db_master_dsn"] != "") { $db->SetMaster($dbtype . ":" . $_REQUEST["db_master_dsn"], $databases[$dbtype]["login"] ? $_REQUEST["db_master_user"] : false, $databases[$dbtype]["login"] ? $_REQUEST["db_master_pass"] : false); } } catch (Exception $e) { InstallError("Database connection failed. " . htmlspecialchars($e->getMessage())); } try { InstallSuccess("Successfully connected to the database server. Running " . htmlspecialchars($db->GetDisplayName() . " " . $db->GetVersion()));
$session_info = unserialize($sessionrow->info); if (!isset($session_info["validated"])) { SSO_EndpointError("Namespace referenced session is not validated."); } if (!isset($session_info["ipaddr"]) || !isset($_REQUEST["ipaddr"]) || $session_info["ipaddr"] != $_REQUEST["ipaddr"]) { SSO_EndpointError("Namespace referenced session is from an unspecified or different IP address."); } $result = array("success" => true); SSO_EndpointOutput($result); } else { if ($sso_data["action"] == "initlogin") { if ($sso_apikey_info["type"] != "normal") { SSO_EndpointError("Invalid API key type."); } // Create a new session. $sid = $sso_rng->GenerateString(); $recoverid = $sso_rng->GenerateString(); $info = array("url" => base64_encode(isset($sso_data["url"]) ? $sso_data["url"] : ""), "files" => (bool) (int) (isset($sso_data["files"]) ? $sso_data["files"] : 0), "initmsg" => base64_encode(isset($sso_data["initmsg"]) ? $sso_data["initmsg"] : ""), "rid" => $recoverid, "appurl" => base64_encode(isset($sso_data["appurl"]) ? $sso_data["appurl"] : "")); if ($info["url"] == "") { SSO_EndpointError("Return URL not specified."); } $sso_db->Query("INSERT", array($sso_db_temp_sessions, array("apikey_id" => $sso_apirow->id, "updated" => CSDB::ConvertToDBTime(time()), "created" => CSDB::ConvertToDBTime(time()), "heartbeat" => SSO_HEARTBEAT_LIMIT, "session_id" => $sid, "ipaddr" => isset($_REQUEST["ipaddr"]) ? $_REQUEST["ipaddr"] : "APIKEY: " . $sso_ipaddr["ipv6"], "info" => serialize($info), "recoverinfo" => base64_encode(isset($sso_data["info"]) ? $sso_data["info"] : "")), "AUTO INCREMENT" => "id")); $id = $sso_db->GetInsertID(); $url = SSO_LOGIN_URL . "?sso_id=" . urlencode($sid . "-" . $id) . "&lang=" . urlencode(isset($sso_data["lang"]) ? $sso_data["lang"] : ""); if (isset($sso_data["extra"])) { foreach ($sso_data["extra"] as $key => $val) { $url .= "&" . urlencode($key) . "=" . urlencode($val); } } $result = array("success" => true, "url" => $url, "rid" => $recoverid); SSO_EndpointOutput($result);