public function testEncryptDecryptChars() { $secret = '$%ÄüfuDFRR'; $string = 'abcDEF012!"§$%&/()=?`´"\',.;:-_#+*~öäüÖÄÜ^°²³'; $this->assertEquals( $string, PMA_blowfish_decrypt(PMA_blowfish_encrypt($string, $secret), $secret) ); }
/** * This tries to login the user based on the sent auth credentials * * The authentication works like this: if a username was given * a new login is assumed and user/password are checked. If they * are correct the password is encrypted with blowfish and stored * together with the username in a cookie - the same info is stored * in the session, too. Additonally a browserID is stored in the * session. * * If no username was given the cookie is checked: if the username, * crypted password and browserID match between session and cookie * no further testing is done and the user is accepted * * If a cookie was found but no session info was availabe the * blowfish encrypted password from the cookie is decrypted and * together with username rechecked by calling this function again. * * On a successful login $_SERVER[REMOTE_USER] and $USERINFO * are set. * * @author Andreas Gohr <*****@*****.**> * * @param string $user Username * @param string $pass Cleartext Password * @param bool $sticky Cookie should not expire * @param bool $silent Don't show error on bad auth * @return bool true on successful auth */ function auth_login($user, $pass, $sticky = false, $silent = false) { global $USERINFO; global $conf; global $lang; /* @var auth_basic $auth */ global $auth; $sticky ? $sticky = true : ($sticky = false); //sanity check if (!$auth) { return false; } if (!empty($user)) { //usual login if ($auth->checkPass($user, $pass)) { // make logininfo globally available $_SERVER['REMOTE_USER'] = $user; $secret = auth_cookiesalt(!$sticky); //bind non-sticky to session auth_setCookie($user, PMA_blowfish_encrypt($pass, $secret), $sticky); return true; } else { //invalid credentials - log off if (!$silent) { msg($lang['badlogin'], -1); } auth_logoff(); return false; } } else { // read cookie information list($user, $sticky, $pass) = auth_getCookie(); if ($user && $pass) { // we got a cookie - see if we can trust it // get session info $session = $_SESSION[DOKU_COOKIE]['auth']; if (isset($session) && $auth->useSessionCache($user) && $session['time'] >= time() - $conf['auth_security_timeout'] && $session['user'] == $user && $session['pass'] == sha1($pass) && $session['buid'] == auth_browseruid()) { // he has session, cookie and browser right - let him in $_SERVER['REMOTE_USER'] = $user; $USERINFO = $session['info']; //FIXME move all references to session return true; } // no we don't trust it yet - recheck pass but silent $secret = auth_cookiesalt(!$sticky); //bind non-sticky to session $pass = PMA_blowfish_decrypt($pass, $secret); return auth_login($user, $pass, $sticky, true); } } //just to be sure auth_logoff(true); return false; }
/** * Return user info * * Returns info about the given user needs to contain * at least these fields: * * name string full name of the user * mail string email addres of the user * grps array list of groups the user is in * * This LDAP specific function returns the following * addional fields: * * dn string distinguished name (DN) * uid string Posix User ID * inbind bool for internal use - avoid loop in binding * * @author Andreas Gohr <*****@*****.**> * @author Trouble * @author Dan Allen <*****@*****.**> * @author <*****@*****.**> * @author Stephane Chazelas <*****@*****.**> * @return array containing user data or false */ function getUserData($user, $inbind = false) { global $conf; if (!$this->_openLDAP()) { return false; } // force superuser bind if wanted and not bound as superuser yet if ($this->cnf['binddn'] && $this->cnf['bindpw'] && $this->bound < 2) { // use superuser credentials if (!@ldap_bind($this->con, $this->cnf['binddn'], $this->cnf['bindpw'])) { if ($this->cnf['debug']) { msg('LDAP bind as superuser: '******'auth']['pass'], auth_cookiesalt()); $this->checkPass($_SESSION[DOKU_COOKIE]['auth']['user'], $pass); } $info['user'] = $user; $info['server'] = $this->cnf['server']; //get info for given user $base = $this->_makeFilter($this->cnf['usertree'], $info); if (!empty($this->cnf['userfilter'])) { $filter = $this->_makeFilter($this->cnf['userfilter'], $info); } else { $filter = "(ObjectClass=*)"; } $sr = $this->_ldapsearch($this->con, $base, $filter, $this->cnf['userscope']); $result = @ldap_get_entries($this->con, $sr); if ($this->cnf['debug']) { msg('LDAP user search: ' . htmlspecialchars(ldap_error($this->con)), 0, __LINE__, __FILE__); msg('LDAP search at: ' . htmlspecialchars($base . ' ' . $filter), 0, __LINE__, __FILE__); } // Don't accept more or less than one response if (!is_array($result) || $result['count'] != 1) { return false; //user not found } $user_result = $result[0]; ldap_free_result($sr); // general user info $info['dn'] = $user_result['dn']; $info['gid'] = $user_result['gidnumber'][0]; $info['mail'] = $user_result['mail'][0]; $info['name'] = $user_result['cn'][0]; $info['grps'] = array(); // overwrite if other attribs are specified. if (is_array($this->cnf['mapping'])) { foreach ($this->cnf['mapping'] as $localkey => $key) { if (is_array($key)) { // use regexp to clean up user_result list($key, $regexp) = each($key); if ($user_result[$key]) { foreach ($user_result[$key] as $grp) { if (preg_match($regexp, $grp, $match)) { if ($localkey == 'grps') { $info[$localkey][] = $match[1]; } else { $info[$localkey] = $match[1]; } } } } } else { $info[$localkey] = $user_result[$key][0]; } } } $user_result = array_merge($info, $user_result); //get groups for given user if grouptree is given if ($this->cnf['grouptree'] || $this->cnf['groupfilter']) { $base = $this->_makeFilter($this->cnf['grouptree'], $user_result); $filter = $this->_makeFilter($this->cnf['groupfilter'], $user_result); $sr = $this->_ldapsearch($this->con, $base, $filter, $this->cnf['groupscope'], array($this->cnf['groupkey'])); if ($this->cnf['debug']) { msg('LDAP group search: ' . htmlspecialchars(ldap_error($this->con)), 0, __LINE__, __FILE__); msg('LDAP search at: ' . htmlspecialchars($base . ' ' . $filter), 0, __LINE__, __FILE__); } if (!$sr) { msg("LDAP: Reading group memberships failed", -1); return false; } $result = ldap_get_entries($this->con, $sr); ldap_free_result($sr); if (is_array($result)) { foreach ($result as $grp) { if (!empty($grp[$this->cnf['groupkey']][0])) { if ($this->cnf['debug']) { msg('LDAP usergroup: ' . htmlspecialchars($grp[$this->cnf['groupkey']][0]), 0, __LINE__, __FILE__); } $info['grps'][] = $grp[$this->cnf['groupkey']][0]; } } } } // always add the default group to the list of groups if (!in_array($conf['defaultgroup'], $info['grps'])) { $info['grps'][] = $conf['defaultgroup']; } return $info; }
/** * Decrypt the given string with the cookie salt * * @param string $data * @return string */ public function decrypt($data) { $data = base64_decode($data); if (function_exists('auth_decrypt')) { return auth_decrypt($data, auth_cookiesalt()); // since binky } else { return PMA_blowfish_decrypt($data, auth_cookiesalt()); // deprecated } }
/** * Gets advanced authentication settings * * this function DOES NOT check authentication - it just checks/provides * authentication credentials required to connect to the MySQL server * usually with PMA_DBI_connect() * * it returns false if something is missing - which usually leads to * PMA_auth() which displays login form * * it returns true if all seems ok which usually leads to PMA_auth_set_user() * * it directly switches to PMA_auth_fails() if user inactivity timout is reached * * @todo AllowArbitraryServer on does not imply that the user wants an * arbitrary server, or? so we should also check if this is filled and * not only if allowed * * @return boolean whether we get authentication settings or not * * @access public */ function PMA_auth_check() { // Initialization /** * @global $GLOBALS['pma_auth_server'] the user provided server to connect to */ $GLOBALS['pma_auth_server'] = ''; $GLOBALS['PHP_AUTH_USER'] = $GLOBALS['PHP_AUTH_PW'] = ''; $GLOBALS['from_cookie'] = false; // BEGIN Swekey Integration if (!Swekey_auth_check()) { return false; } // END Swekey Integration if (defined('PMA_CLEAR_COOKIES')) { foreach ($GLOBALS['cfg']['Servers'] as $key => $val) { $GLOBALS['PMA_Config']->removeCookie('pmaPass-' . $key); $GLOBALS['PMA_Config']->removeCookie('pmaServer-' . $key); $GLOBALS['PMA_Config']->removeCookie('pmaUser-' . $key); } return false; } if (!empty($_REQUEST['old_usr'])) { // The user wants to be logged out // -> delete his choices that were stored in session // according to the PHP manual we should do this before the destroy: //$_SESSION = array(); // but we still need some parts of the session information // in libraries/header_meta_style.inc.php session_destroy(); // -> delete password cookie(s) if ($GLOBALS['cfg']['LoginCookieDeleteAll']) { foreach ($GLOBALS['cfg']['Servers'] as $key => $val) { $GLOBALS['PMA_Config']->removeCookie('pmaPass-' . $key); if (isset($_COOKIE['pmaPass-' . $key])) { unset($_COOKIE['pmaPass-' . $key]); } } } else { $GLOBALS['PMA_Config']->removeCookie('pmaPass-' . $GLOBALS['server']); if (isset($_COOKIE['pmaPass-' . $GLOBALS['server']])) { unset($_COOKIE['pmaPass-' . $GLOBALS['server']]); } } } if (!empty($_REQUEST['pma_username'])) { // The user just logged in $GLOBALS['PHP_AUTH_USER'] = $_REQUEST['pma_username']; $GLOBALS['PHP_AUTH_PW'] = empty($_REQUEST['pma_password']) ? '' : $_REQUEST['pma_password']; if ($GLOBALS['cfg']['AllowArbitraryServer'] && isset($_REQUEST['pma_servername'])) { $GLOBALS['pma_auth_server'] = $_REQUEST['pma_servername']; } return true; } // At the end, try to set the $GLOBALS['PHP_AUTH_USER'] // and $GLOBALS['PHP_AUTH_PW'] variables from cookies // servername if ($GLOBALS['cfg']['AllowArbitraryServer'] && !empty($_COOKIE['pmaServer-' . $GLOBALS['server']])) { $GLOBALS['pma_auth_server'] = $_COOKIE['pmaServer-' . $GLOBALS['server']]; } // username if (empty($_COOKIE['pmaUser-' . $GLOBALS['server']])) { return false; } $GLOBALS['PHP_AUTH_USER'] = PMA_blowfish_decrypt($_COOKIE['pmaUser-' . $GLOBALS['server']], PMA_get_blowfish_secret()); // user was never logged in since session start if (empty($_SESSION['last_access_time'])) { return false; } // User inactive too long if ($_SESSION['last_access_time'] < time() - $GLOBALS['cfg']['LoginCookieValidity']) { PMA_cacheUnset('is_create_db_priv', true); PMA_cacheUnset('is_process_priv', true); PMA_cacheUnset('is_reload_priv', true); PMA_cacheUnset('db_to_create', true); PMA_cacheUnset('dbs_where_create_table_allowed', true); $GLOBALS['no_activity'] = true; PMA_auth_fails(); exit; } // password if (empty($_COOKIE['pmaPass-' . $GLOBALS['server']])) { return false; } $GLOBALS['PHP_AUTH_PW'] = PMA_blowfish_decrypt($_COOKIE['pmaPass-' . $GLOBALS['server']], PMA_get_blowfish_secret()); if ($GLOBALS['PHP_AUTH_PW'] == "ÿ(blank)") { $GLOBALS['PHP_AUTH_PW'] = ''; } $GLOBALS['from_cookie'] = true; return true; }
/** * Checks if the CAPTCHA string submitted is valid * * @author Andreas Gohr <*****@*****.**> * @adaption Esther Brunner <*****@*****.**> */ function _captchaCheck() { if (plugin_isdisabled('captcha') || !($captcha = plugin_load('helper', 'captcha'))) { return; } // CAPTCHA is disabled or not available // do nothing if logged in user and no CAPTCHA required if (!$captcha->getConf('forusers') && $_SERVER['REMOTE_USER']) { return; } // compare provided string with decrypted captcha $rand = PMA_blowfish_decrypt($_REQUEST['plugin__captcha_secret'], auth_cookiesalt()); $code = $captcha->_generateCAPTCHA($captcha->_fixedIdent(), $rand); if (!$_REQUEST['plugin__captcha_secret'] || !$_REQUEST['plugin__captcha'] || strtoupper($_REQUEST['plugin__captcha']) != $code) { // CAPTCHA test failed! Continue to edit instead of saving msg($captcha->getLang('testfailed'), -1); if ($_REQUEST['comment'] == 'save') { $_REQUEST['comment'] = 'edit'; } elseif ($_REQUEST['comment'] == 'add') { $_REQUEST['comment'] = 'show'; } } // if we arrive here it was a valid save }
/** * Gets advanced authentication settings * * @global string the username if register_globals is on * @global string the password if register_globals is on * @global array the array of cookie variables if register_globals is * off * @global string the servername sent by the login form * @global string the username sent by the login form * @global string the password sent by the login form * @global string the username of the user who logs out * @global boolean whether the login/password pair is grabbed from a * cookie or not * * @return boolean whether we get authentication settings or not * * @access public */ function PMA_auth_check() { global $PHP_AUTH_USER, $PHP_AUTH_PW, $pma_auth_server; global $pma_servername, $pma_username, $pma_password, $old_usr, $server; global $from_cookie; // avoid an error in mcrypt if (empty($GLOBALS['cfg']['blowfish_secret'])) { return false; } // Initialization $PHP_AUTH_USER = $PHP_AUTH_PW = ''; $from_cookie = false; $from_form = false; // The user wants to be logged out -> delete password cookie(s) if (!empty($old_usr)) { if ($GLOBALS['cfg']['LoginCookieDeleteAll']) { foreach ($GLOBALS['cfg']['Servers'] as $key => $val) { PMA_removeCookie('pma_cookie_password-' . $key); } } else { PMA_removeCookie('pma_cookie_password-' . $server); } } elseif (!empty($pma_username)) { $PHP_AUTH_USER = $pma_username; $PHP_AUTH_PW = empty($pma_password) ? '' : $pma_password; if ($GLOBALS['cfg']['AllowArbitraryServer']) { $pma_auth_server = $pma_servername; } $from_form = true; } else { if ($GLOBALS['cfg']['AllowArbitraryServer']) { // servername if (!empty($pma_cookie_servername)) { $pma_auth_server = $pma_cookie_servername; $from_cookie = true; } elseif (!empty($_COOKIE) && isset($_COOKIE['pma_cookie_servername-' . $server])) { $pma_auth_server = $_COOKIE['pma_cookie_servername-' . $server]; $from_cookie = true; } } // username if (!empty($_COOKIE) && isset($_COOKIE['pma_cookie_username-' . $server])) { $PHP_AUTH_USER = $_COOKIE['pma_cookie_username-' . $server]; $from_cookie = true; } $decrypted_user = PMA_blowfish_decrypt($PHP_AUTH_USER, $GLOBALS['cfg']['blowfish_secret']); if (!empty($decrypted_user)) { $pos = strrpos($decrypted_user, ':'); $PHP_AUTH_USER = substr($decrypted_user, 0, $pos); $decrypted_time = (int) substr($decrypted_user, $pos + 1); } else { $decrypted_time = 0; } // User inactive too long if ($decrypted_time > 0 && $decrypted_time < $GLOBALS['current_time'] - $GLOBALS['cfg']['LoginCookieValidity']) { // Display an error message only if the inactivity has lasted // less than 4 times the timeout value. This is to avoid // alerting users with a error after "much" time has passed, // for example next morning. if ($decrypted_time > $GLOBALS['current_time'] - $GLOBALS['cfg']['LoginCookieValidity'] * 4) { $GLOBALS['no_activity'] = true; PMA_auth_fails(); } return false; } // password if (!empty($pma_cookie_password)) { $PHP_AUTH_PW = $pma_cookie_password; } elseif (!empty($_COOKIE) && isset($_COOKIE['pma_cookie_password-' . $server])) { $PHP_AUTH_PW = $_COOKIE['pma_cookie_password-' . $server]; } else { $from_cookie = false; } $PHP_AUTH_PW = PMA_blowfish_decrypt($PHP_AUTH_PW, $GLOBALS['cfg']['blowfish_secret'] . $decrypted_time); if ($PHP_AUTH_PW == "ÿ(blank)") { $PHP_AUTH_PW = ''; } } // Returns whether we get authentication settings or not if (!$from_cookie && !$from_form) { return false; } elseif ($from_cookie) { return true; } else { // we don't need to strip here, it is done in grab_globals return true; } }
/** * Gets advanced authentication settings * * @global string the username if register_globals is on * @global string the password if register_globals is on * @global array the array of cookie variables if register_globals is * off * @global string the servername sent by the login form * @global string the username sent by the login form * @global string the password sent by the login form * @global string the username of the user who logs out * @global boolean whether the login/password pair is grabbed from a * cookie or not * * @return boolean whether we get authentication settings or not * * @access public */ function PMA_auth_check() { global $PHP_AUTH_USER, $PHP_AUTH_PW, $pma_auth_server; global $pma_servername, $pma_username, $pma_password, $old_usr; global $from_cookie; // Initialization $PHP_AUTH_USER = $PHP_AUTH_PW = ''; $from_cookie = FALSE; $from_form = FALSE; // The user wants to be logged out -> delete password cookie if (!empty($old_usr)) { setcookie('pma_cookie_password', '', 0, $GLOBALS['cookie_path'], '', $GLOBALS['is_https']); } else { if (!empty($pma_username)) { $PHP_AUTH_USER = $pma_username; $PHP_AUTH_PW = empty($pma_password) ? '' : $pma_password; if ($GLOBALS['cfg']['AllowArbitraryServer']) { $pma_auth_server = $pma_servername; } $from_form = TRUE; } else { if ($GLOBALS['cfg']['AllowArbitraryServer']) { // servername if (!empty($pma_cookie_servername)) { $pma_auth_server = $pma_cookie_servername; $from_cookie = TRUE; } else { if (!empty($_COOKIE) && isset($_COOKIE['pma_cookie_servername'])) { $pma_auth_server = $_COOKIE['pma_cookie_servername']; $from_cookie = TRUE; } } } // username if (!empty($pma_cookie_username)) { $PHP_AUTH_USER = $pma_cookie_username; $from_cookie = TRUE; } else { if (!empty($_COOKIE) && isset($_COOKIE['pma_cookie_username'])) { $PHP_AUTH_USER = $_COOKIE['pma_cookie_username']; $from_cookie = TRUE; } } // password if (!empty($pma_cookie_password)) { $PHP_AUTH_PW = $pma_cookie_password; } else { if (!empty($_COOKIE) && isset($_COOKIE['pma_cookie_password'])) { $PHP_AUTH_PW = $_COOKIE['pma_cookie_password']; } else { $from_cookie = FALSE; } } $PHP_AUTH_PW = base64_decode($PHP_AUTH_PW); $PHP_AUTH_PW = PMA_blowfish_decrypt($PHP_AUTH_PW, $GLOBALS['cfg']['blowfish_secret']); if ($PHP_AUTH_PW == "ÿ(blank)") { $PHP_AUTH_PW = ''; } } } // Returns whether we get authentication settings or not if (!$from_cookie && !$from_form) { return FALSE; } elseif ($from_cookie) { if (get_magic_quotes_gpc()) { $PHP_AUTH_USER = stripslashes($PHP_AUTH_USER); // no need to strip password as it is encrypted during transfer } return TRUE; } else { // we don't need to strip here, it is done in grab_globals return TRUE; } }
public function GetCmdHeader() { if (isset($_SESSION['secret']) && is_array($_SESSION['secret'])) { $uid = PMA_blowfish_decrypt($this->_id, $_SESSION['secret'][0]); $password = PMA_blowfish_decrypt($this->_pass, $_SESSION['secret'][1]); return "auth:{$uid}:{$password}\n"; } else { return ''; } }
/** * Auth Decryption has changed from Weatherwax to Binky */ private function auth_decrypt($pass, $secret) { if (function_exists('auth_decrypt')) { // Binky return auth_decrypt($pass, $secret); } else { if (function_exists('PMA_blowfish_decrypt')) { // Weatherwax return PMA_blowfish_decrypt($pass, $secret); } else { $this->debugClass->runtimeException("No decryption method found"); } } }
/** * This tries to login the user based on the sent auth credentials * * The authentication works like this: if a username was given * a new login is assumed and user/password are checked. If they * are correct the password is encrypted with blowfish and stored * together with the username in a cookie - the same info is stored * in the session, too. Additonally a browserID is stored in the * session. * * If no username was given the cookie is checked: if the username, * crypted password and browserID match between session and cookie * no further testing is done and the user is accepted * * If a cookie was found but no session info was availabe the * blowfish encrypted password from the cookie is decrypted and * together with username rechecked by calling this function again. * * On a successful login $_SERVER[REMOTE_USER] and $USERINFO * are set. * * @author Andreas Gohr <*****@*****.**> * * @param string $user Username * @param string $pass Cleartext Password * @param bool $sticky Cookie should not expire * @param bool $silent Don't show error on bad auth * @return bool true on successful auth */ function auth_login($user, $pass, $sticky = false, $silent = false) { global $USERINFO; global $conf; global $lang; global $auth; $sticky ? $sticky = true : ($sticky = false); //sanity check if (!empty($user)) { //usual login if ($auth->checkPass($user, $pass)) { // make logininfo globally available $_SERVER['REMOTE_USER'] = $user; $USERINFO = $auth->getUserData($user); // set cookie $pass = PMA_blowfish_encrypt($pass, auth_cookiesalt()); $cookie = base64_encode("{$user}|{$sticky}|{$pass}"); if ($sticky) { $time = time() + 60 * 60 * 24 * 365; } //one year setcookie(DOKU_COOKIE, $cookie, $time, DOKU_REL); // set session $_SESSION[DOKU_COOKIE]['auth']['user'] = $user; $_SESSION[DOKU_COOKIE]['auth']['pass'] = $pass; $_SESSION[DOKU_COOKIE]['auth']['buid'] = auth_browseruid(); $_SESSION[DOKU_COOKIE]['auth']['info'] = $USERINFO; $_SESSION[DOKU_COOKIE]['auth']['time'] = time(); return true; } else { //invalid credentials - log off if (!$silent) { msg($lang['badlogin'], -1); } auth_logoff(); return false; } } else { // read cookie information $cookie = base64_decode($_COOKIE[DOKU_COOKIE]); list($user, $sticky, $pass) = split('\\|', $cookie, 3); // get session info $session = $_SESSION[DOKU_COOKIE]['auth']; if ($user && $pass) { // we got a cookie - see if we can trust it if (isset($session) && $auth->useSessionCache($user) && $session['time'] >= time() - $conf['auth_security_timeout'] && $session['user'] == $user && $session['pass'] == $pass && $session['buid'] == auth_browseruid()) { // he has session, cookie and browser right - let him in $_SERVER['REMOTE_USER'] = $user; $USERINFO = $session['info']; //FIXME move all references to session return true; } // no we don't trust it yet - recheck pass but silent $pass = PMA_blowfish_decrypt($pass, auth_cookiesalt()); return auth_login($user, $pass, $sticky, true); } } //just to be sure auth_logoff(); return false; }
<?php /** * CAPTCHA antispam plugin - Image generator * * @license GPL 2 (http://www.gnu.org/licenses/gpl.html) * @author Andreas Gohr <*****@*****.**> */ if (!defined('DOKU_INC')) { define('DOKU_INC', dirname(__FILE__) . '/../../../'); } define('NOSESSION', true); define('DOKU_DISABLE_GZIP_OUTPUT', 1); require_once DOKU_INC . 'inc/init.php'; require_once DOKU_INC . 'inc/auth.php'; $ID = $_REQUEST['id']; $plugin = plugin_load('helper', 'captcha'); $rand = PMA_blowfish_decrypt($_REQUEST['secret'], auth_cookiesalt()); $code = $plugin->_generateCAPTCHA($plugin->_fixedIdent(), $rand); $plugin->_imageCAPTCHA($code); //Setup VIM: ex: et ts=4 enc=utf-8 :
/** * Checks if the the CAPTCHA was solved correctly * * @param bool $msg when true, an error will be signalled through the msg() method * @return bool true when the answer was correct, otherwise false */ public function check($msg = true) { // compare provided string with decrypted captcha $rand = PMA_blowfish_decrypt($_REQUEST[$this->field_sec], auth_cookiesalt()); if ($this->getConf('mode') == 'math') { $code = $this->_generateMATH($this->_fixedIdent(), $rand); $code = $code[1]; } elseif ($this->getConf('mode') == 'question') { $code = $this->getConf('answer'); } else { $code = $this->_generateCAPTCHA($this->_fixedIdent(), $rand); } if (!$_REQUEST[$this->field_sec] || !$_REQUEST[$this->field_in] || utf8_strtolower($_REQUEST[$this->field_in]) != utf8_strtolower($code) || trim($_REQUEST[$this->field_hp]) !== '') { if ($msg) { msg($this->getLang('testfailed'), -1); } return false; } return true; }
/** * Gets advanced authentication settings * * this function DOES NOT check authentication - it just checks/provides * authentication credentials required to connect to the MySQL server * usally with PMA_DBI_connect() * * it returns false if there is missing something - which usally leads to * PMA_auth() which displays login form * * it returns true if all seems ok which usally leads to PMA_auth_set_user() * * it directly switches to PMA_auth_fails() if user inactivity timout is reached * * @todo AllowArbitraryServer on does not imply that the user wnats an * arbitrary server, or? so we should also check if this is filled and * not only if allowed * @uses $GLOBALS['PHP_AUTH_USER'] * @uses $GLOBALS['PHP_AUTH_PW'] * @uses $GLOBALS['no_activity'] * @uses $GLOBALS['server'] * @uses $GLOBALS['from_cookie'] * @uses $GLOBALS['pma_auth_server'] * @uses $cfg['blowfish_secret'] * @uses $cfg['AllowArbitraryServer'] * @uses $cfg['LoginCookieValidity'] * @uses $cfg['Servers'] * @uses $_REQUEST['old_usr'] from logout link * @uses $_REQUEST['pma_username'] from login form * @uses $_REQUEST['pma_password'] from login form * @uses $_REQUEST['pma_servername'] from login form * @uses $_COOKIE * @uses $_SESSION['last_access_time'] * @uses PMA_removeCookie() * @uses PMA_blowfish_decrypt() * @uses PMA_auth_fails() * @uses time() * * @return boolean whether we get authentication settings or not * * @access public */ function PMA_auth_check() { // Initialization /** * @global $GLOBALS['pma_auth_server'] the user provided server to connect to */ $GLOBALS['pma_auth_server'] = ''; $GLOBALS['PHP_AUTH_USER'] = $GLOBALS['PHP_AUTH_PW'] = ''; $GLOBALS['from_cookie'] = false; // avoid an error in mcrypt if (empty($GLOBALS['cfg']['blowfish_secret'])) { return false; } if (defined('PMA_CLEAR_COOKIES')) { foreach ($GLOBALS['cfg']['Servers'] as $key => $val) { PMA_removeCookie('pmaPass-' . $key); PMA_removeCookie('pmaServer-' . $key); PMA_removeCookie('pmaUser-' . $key); } return false; } if (!empty($_REQUEST['old_usr'])) { // The user wants to be logged out // -> delete his choices that were stored in session session_destroy(); // -> delete password cookie(s) if ($GLOBALS['cfg']['LoginCookieDeleteAll']) { foreach ($GLOBALS['cfg']['Servers'] as $key => $val) { PMA_removeCookie('pmaPass-' . $key); if (isset($_COOKIE['pmaPass-' . $key])) { unset($_COOKIE['pmaPass-' . $key]); } } } else { PMA_removeCookie('pmaPass-' . $GLOBALS['server']); if (isset($_COOKIE['pmaPass-' . $GLOBALS['server']])) { unset($_COOKIE['pmaPass-' . $GLOBALS['server']]); } } } if (!empty($_REQUEST['pma_username'])) { // The user just logged in $GLOBALS['PHP_AUTH_USER'] = $_REQUEST['pma_username']; $GLOBALS['PHP_AUTH_PW'] = empty($_REQUEST['pma_password']) ? '' : $_REQUEST['pma_password']; if ($GLOBALS['cfg']['AllowArbitraryServer'] && isset($_REQUEST['pma_servername'])) { $GLOBALS['pma_auth_server'] = $_REQUEST['pma_servername']; } return true; } // At the end, try to set the $GLOBALS['PHP_AUTH_USER'] // and $GLOBALS['PHP_AUTH_PW'] variables from cookies // servername if ($GLOBALS['cfg']['AllowArbitraryServer'] && !empty($_COOKIE['pmaServer-' . $GLOBALS['server']])) { $GLOBALS['pma_auth_server'] = $_COOKIE['pmaServer-' . $GLOBALS['server']]; } // username if (empty($_COOKIE['pmaUser-' . $GLOBALS['server']])) { return false; } $GLOBALS['PHP_AUTH_USER'] = PMA_blowfish_decrypt($_COOKIE['pmaUser-' . $GLOBALS['server']], $GLOBALS['cfg']['blowfish_secret']); // user was never logged in since session start if (empty($_SESSION['last_access_time'])) { return false; } // User inactive too long if ($_SESSION['last_access_time'] < time() - $GLOBALS['cfg']['LoginCookieValidity']) { $GLOBALS['no_activity'] = true; PMA_auth_fails(); exit; } // password if (empty($_COOKIE['pmaPass-' . $GLOBALS['server']])) { return false; } $GLOBALS['PHP_AUTH_PW'] = PMA_blowfish_decrypt($_COOKIE['pmaPass-' . $GLOBALS['server']], $GLOBALS['cfg']['blowfish_secret']); if ($GLOBALS['PHP_AUTH_PW'] == "ÿ(blank)") { $GLOBALS['PHP_AUTH_PW'] = ''; } $GLOBALS['from_cookie'] = true; return true; }
public function testEncryptDecryptBinary() { $secret = '$%ÄüfuDFRR'; $string = "this isbinary because ofzero bytes"; $this->assertEquals($string, PMA_blowfish_decrypt(PMA_blowfish_encrypt($string, $secret), $secret)); }