function auth_sign_in($next_page = "/") { global $AUTH_EXP; global $AUTH_KEY; $username = http_post_string("username", array("len" => 50, "valid" => "[a-z][0-9]")); $password = http_post_string("password", array("len" => 50)); if (!string_uses(substr($username, 0, 1), "[a-z]")) { die("invalid username [{$username}]"); } $row = run_sql("select user_id, password, salt from auth.user_list where username = ?", array($username)); if (count($row) == 0) { die("no such user [{$username}]"); } if (crypt_sha256($password . $row[0]["salt"]) != $row[0]["password"]) { die("wrong password"); } $expire = time() + $AUTH_EXP; $cookie = "exp=" . date("YmdHis", $expire) . "&user="******"user_id"]; $cookie .= "&hash=" . crypt_sha256($AUTH_KEY . $cookie); setcookie("auth", $cookie, $expire); header("Location: {$next_page}"); die; }
function check_auth() { global $auth_key; global $auth_zid; global $auth_user; global $request_script; global $javascript_enabled; $auth_zid = ""; $javascript_enabled = false; $auth = @$_COOKIE["auth"]; $map = map_from_url_string($auth); $expire = @$map["expire"]; $zid = @$map["zid"]; $hash = @$map["hash"]; if ($zid == "") { return; } if (!string_uses($expire, "[0-9]")) { expire_auth(); die("invalid expire"); } if (time() > $expire) { expire_auth(); die("auth expired"); } if (!string_uses($zid, "[a-z][0-9]@.-")) { expire_auth(); die("invalid zid [{$zid}]"); } $test = crypt_sha256($auth_key . "expire={$expire}&zid={$zid}"); if ($hash != $test) { expire_auth(); die("wrong auth hash"); } $auth_zid = $zid; $auth_user = db_get_conf("user_conf", $auth_zid); $javascript_enabled = $auth_user["javascript_enabled"]; }
function generate_message_id() { global $server_name; return time() . "." . substr(crypt_sha256(rand()), 0, 8) . "@{$server_name}"; }
$s .= "\n"; $s .= "date_default_timezone_set(\"UTC\");\n"; $s .= "\$https_enabled = true;\n"; $s .= "\$story_image_enabled = false;\n"; $sql_server = "mysql:host={$sql_server}"; $sql_open = false; open_database(); fs_slap("{$top_root}/conf.php", $s); if (!db_has_database($sql_database)) { run_sql("create database {$sql_database}"); run_sql("use {$sql_database}"); run_sql_file("{$top_root}/schema.sql"); run_sql_file("{$top_root}/default.sql"); $zid = "{$admin_username}@{$server_name}"; $salt = random_hash(); $pass = crypt_sha256("{$admin_password}{$salt}"); run_sql("insert into user_conf (zid, name, value) values (?, ?, ?)", array($zid, "admin", "1")); run_sql("insert into user_conf (zid, name, value) values (?, ?, ?)", array($zid, "editor", "1")); run_sql("insert into user_conf (zid, name, value) values (?, ?, ?)", array($zid, "password", $pass)); run_sql("insert into user_conf (zid, name, value) values (?, ?, ?)", array($zid, "salt", $salt)); } header("Location: /"); die; } writeln('<!DOCTYPE html>'); writeln('<html>'); writeln('<head>'); writeln('<title>Pipecode Setup</title>'); writeln('<meta http-equiv="Content-type" content="text/html;charset=UTF-8">'); writeln('<link rel="stylesheet" href="/style.css" type="text/css"/>'); writeln('</head>');
$user_conf["salt"] = $salt; db_set_conf("user_conf", $user_conf, $zid); db_del_rec("email_challenge", $verify); print_header("Password Reset"); writeln('<h1>Password Reset</h1>'); writeln('<p>Don\'t forget it this time!</p>'); print_footer(); die; } $username = http_post_string("username", array("len" => 20, "valid" => "[a-z][A-Z][0-9]")); $zid = strtolower($username) . "@{$site_name}"; if (!is_local_user($zid)) { die("no such user [{$zid}]"); } $user_conf = db_get_conf("user_conf", $zid); $hash = crypt_sha256(rand()); if (db_has_rec("email_challenge", array("username" => $username))) { db_del_rec("email_challenge", array("username" => $username)); } $email_challenge = array(); $email_challenge["challenge"] = $hash; $email_challenge["username"] = $username; $email_challenge["email"] = $user["email"]; $email_challenge["expires"] = time() + 86400 * 3; db_set_rec("email_challenge", $email_challenge); $subject = "Forgot Password"; $body = "Did you forget your password for \"{$username}\" on {$server_name}?\n"; $body .= "\n"; $body .= "In order to reset your password, you must visit the following link:\n"; $body .= "\n"; if ($https_enabled) {
// // You should have received a copy of the GNU General Public License // along with Pipecode. If not, see <http://www.gnu.org/licenses/>. // if (http_post()) { $username = http_post_string("username", array("len" => 20, "valid" => "[a-z][A-Z][0-9]")); $password = http_post_string("password", array("len" => 64, "valid" => "[KEYBOARD]")); $referer = http_get_string("referer", array("required" => false, "len" => 200, "valid" => "[a-z][A-Z][0-9].+-_/?&#=;~")); $zid = strtolower($username) . "@{$server_name}"; $user_conf = db_get_conf("user_conf", $zid); if ($user_conf["password"] != crypt_sha256($password . $user_conf["salt"])) { die("wrong password"); } $expire = time() + $auth_expire; $cookie = "expire={$expire}&zid={$zid}"; $cookie .= "&hash=" . crypt_sha256($auth_key . $cookie); setcookie("auth", $cookie, time() + $auth_expire, "/", ".{$server_name}"); if ($referer != "") { header("Location: {$referer}"); } else { header("Location: ./"); } } if ($protocol != "https" && $https_enabled) { header("Location: https://{$server_name}/sign_in"); die; } print_header("Sign In"); writeln('<hr/>'); writeln('<h1>Sign In</h1>'); if ($https_enabled) {