Exemplo n.º 1
0
 /**
  * Handle the match
  */
 function handle($match, $state, $pos, Doku_Handler $handler)
 {
     global $ID;
     $match = substr($match, 2, -4);
     $pos = strrpos($match, '$$');
     $text = trim(substr($match, 0, $pos));
     $sig = substr($match, $pos + 2, 32);
     $user = substr($match, $pos + 36);
     $check = md5($ID . $user . trim($text) . auth_cookiesalt());
     return array('text' => $text, 'user' => $user, 'valid' => $sig == $check);
 }
Exemplo n.º 2
0
 /**
  * Authenticate using currently logged in user
  */
 private function authenticate($secondAttempt = false)
 {
     global $auth, $INPUT;
     // Ok, this is evil. We read the login information of the current user and forward it to the HTTPClient
     list($this->user, $sticky, $this->pass) = auth_getCookie();
     // Logged in in second attempt is now in Session.
     if ($secondAttempt && !isset($this->user) && $INPUT->str('u') && $INPUT->str('p')) {
         // We hacked directly into the login mechanism which provides the login information without encryption via $INPUT
         $this->user = $INPUT->str('u');
         $this->pass = $INPUT->str('p');
         $sticky = $INPUT->str('r');
     } else {
         $secret = auth_cookiesalt(!$sticky, true);
         //bind non-sticky to session
         $this->pass = $this->auth_decrypt($this->pass, $secret);
     }
     return isset($this->user);
 }
Exemplo n.º 3
0
 /**
  * Gather all information
  *
  * @return array The popularity data as an array
  */
 function _gather()
 {
     global $conf;
     /** @var $auth DokuWiki_Auth_Plugin */
     global $auth;
     $data = array();
     $phptime = ini_get('max_execution_time');
     @set_time_limit(0);
     $pluginInfo = $this->getInfo();
     // version
     $data['anon_id'] = md5(auth_cookiesalt());
     $data['version'] = getVersion();
     $data['popversion'] = $pluginInfo['date'];
     $data['language'] = $conf['lang'];
     $data['now'] = time();
     $data['popauto'] = (int) $this->isAutoSubmitEnabled();
     // some config values
     $data['conf_useacl'] = $conf['useacl'];
     $data['conf_authtype'] = $conf['authtype'];
     $data['conf_template'] = $conf['template'];
     // number and size of pages
     $list = array();
     search($list, $conf['datadir'], array($this, '_search_count'), array('all' => false), '');
     $data['page_count'] = $list['file_count'];
     $data['page_size'] = $list['file_size'];
     $data['page_biggest'] = $list['file_max'];
     $data['page_smallest'] = $list['file_min'];
     $data['page_nscount'] = $list['dir_count'];
     $data['page_nsnest'] = $list['dir_nest'];
     if ($list['file_count']) {
         $data['page_avg'] = $list['file_size'] / $list['file_count'];
     }
     $data['page_oldest'] = $list['file_oldest'];
     unset($list);
     // number and size of media
     $list = array();
     search($list, $conf['mediadir'], array($this, '_search_count'), array('all' => true));
     $data['media_count'] = $list['file_count'];
     $data['media_size'] = $list['file_size'];
     $data['media_biggest'] = $list['file_max'];
     $data['media_smallest'] = $list['file_min'];
     $data['media_nscount'] = $list['dir_count'];
     $data['media_nsnest'] = $list['dir_nest'];
     if ($list['file_count']) {
         $data['media_avg'] = $list['file_size'] / $list['file_count'];
     }
     unset($list);
     // number and size of cache
     $list = array();
     search($list, $conf['cachedir'], array($this, '_search_count'), array('all' => true));
     $data['cache_count'] = $list['file_count'];
     $data['cache_size'] = $list['file_size'];
     $data['cache_biggest'] = $list['file_max'];
     $data['cache_smallest'] = $list['file_min'];
     if ($list['file_count']) {
         $data['cache_avg'] = $list['file_size'] / $list['file_count'];
     }
     unset($list);
     // number and size of index
     $list = array();
     search($list, $conf['indexdir'], array($this, '_search_count'), array('all' => true));
     $data['index_count'] = $list['file_count'];
     $data['index_size'] = $list['file_size'];
     $data['index_biggest'] = $list['file_max'];
     $data['index_smallest'] = $list['file_min'];
     if ($list['file_count']) {
         $data['index_avg'] = $list['file_size'] / $list['file_count'];
     }
     unset($list);
     // number and size of meta
     $list = array();
     search($list, $conf['metadir'], array($this, '_search_count'), array('all' => true));
     $data['meta_count'] = $list['file_count'];
     $data['meta_size'] = $list['file_size'];
     $data['meta_biggest'] = $list['file_max'];
     $data['meta_smallest'] = $list['file_min'];
     if ($list['file_count']) {
         $data['meta_avg'] = $list['file_size'] / $list['file_count'];
     }
     unset($list);
     // number and size of attic
     $list = array();
     search($list, $conf['olddir'], array($this, '_search_count'), array('all' => true));
     $data['attic_count'] = $list['file_count'];
     $data['attic_size'] = $list['file_size'];
     $data['attic_biggest'] = $list['file_max'];
     $data['attic_smallest'] = $list['file_min'];
     if ($list['file_count']) {
         $data['attic_avg'] = $list['file_size'] / $list['file_count'];
     }
     $data['attic_oldest'] = $list['file_oldest'];
     unset($list);
     // user count
     if ($auth && $auth->canDo('getUserCount')) {
         $data['user_count'] = $auth->getUserCount();
     }
     // calculate edits per day
     $list = @file($conf['metadir'] . '/_dokuwiki.changes');
     $count = count($list);
     if ($count > 2) {
         $first = (int) substr(array_shift($list), 0, 10);
         $last = (int) substr(array_pop($list), 0, 10);
         $dur = ($last - $first) / (60 * 60 * 24);
         // number of days in the changelog
         $data['edits_per_day'] = $count / $dur;
     }
     unset($list);
     // plugins
     $data['plugin'] = plugin_list();
     // pcre info
     if (defined('PCRE_VERSION')) {
         $data['pcre_version'] = PCRE_VERSION;
     }
     $data['pcre_backtrack'] = ini_get('pcre.backtrack_limit');
     $data['pcre_recursion'] = ini_get('pcre.recursion_limit');
     // php info
     $data['os'] = PHP_OS;
     $data['webserver'] = $_SERVER['SERVER_SOFTWARE'];
     $data['php_version'] = phpversion();
     $data['php_sapi'] = php_sapi_name();
     $data['php_memory'] = $this->_to_byte(ini_get('memory_limit'));
     $data['php_exectime'] = $phptime;
     $data['php_extension'] = get_loaded_extensions();
     // plugin usage data
     $this->_add_plugin_usage_data($data);
     return $data;
 }
Exemplo n.º 4
0
 /**
  * Decrypt the given string with the cookie salt
  *
  * @param string $data
  * @return string
  */
 public function decrypt($data)
 {
     $data = base64_decode($data);
     if (function_exists('auth_decrypt')) {
         return auth_decrypt($data, auth_cookiesalt());
         // since binky
     } else {
         return PMA_blowfish_decrypt($data, auth_cookiesalt());
         // deprecated
     }
 }
Exemplo n.º 5
0
/**
 * Update user profile
 *
 * @author    Christopher Smith <*****@*****.**>
 */
function updateprofile()
{
    global $conf;
    global $lang;
    /* @var DokuWiki_Auth_Plugin $auth */
    global $auth;
    /* @var Input $INPUT */
    global $INPUT;
    if (!$INPUT->post->bool('save')) {
        return false;
    }
    if (!checkSecurityToken()) {
        return false;
    }
    if (!actionOK('profile')) {
        msg($lang['profna'], -1);
        return false;
    }
    $changes = array();
    $changes['pass'] = $INPUT->post->str('newpass');
    $changes['name'] = $INPUT->post->str('fullname');
    $changes['mail'] = $INPUT->post->str('email');
    // check misspelled passwords
    if ($changes['pass'] != $INPUT->post->str('passchk')) {
        msg($lang['regbadpass'], -1);
        return false;
    }
    // clean fullname and email
    $changes['name'] = trim(preg_replace('/[\\x00-\\x1f:<>&%,;]+/', '', $changes['name']));
    $changes['mail'] = trim(preg_replace('/[\\x00-\\x1f:<>&%,;]+/', '', $changes['mail']));
    // no empty name and email (except the backend doesn't support them)
    if (empty($changes['name']) && $auth->canDo('modName') || empty($changes['mail']) && $auth->canDo('modMail')) {
        msg($lang['profnoempty'], -1);
        return false;
    }
    if (!mail_isvalid($changes['mail']) && $auth->canDo('modMail')) {
        msg($lang['regbadmail'], -1);
        return false;
    }
    $changes = array_filter($changes);
    // check for unavailable capabilities
    if (!$auth->canDo('modName')) {
        unset($changes['name']);
    }
    if (!$auth->canDo('modMail')) {
        unset($changes['mail']);
    }
    if (!$auth->canDo('modPass')) {
        unset($changes['pass']);
    }
    // anything to do?
    if (!count($changes)) {
        msg($lang['profnochange'], -1);
        return false;
    }
    if ($conf['profileconfirm']) {
        if (!$auth->checkPass($INPUT->server->str('REMOTE_USER'), $INPUT->post->str('oldpass'))) {
            msg($lang['badpassconfirm'], -1);
            return false;
        }
    }
    if ($result = $auth->triggerUserMod('modify', array($INPUT->server->str('REMOTE_USER'), &$changes))) {
        // update cookie and session with the changed data
        if ($changes['pass']) {
            list(, $sticky, ) = auth_getCookie();
            $pass = auth_encrypt($changes['pass'], auth_cookiesalt(!$sticky, true));
            auth_setCookie($INPUT->server->str('REMOTE_USER'), $pass, (bool) $sticky);
        }
        return true;
    }
    return false;
}
Exemplo n.º 6
0
/**
 * Check for media for preconditions and return correct status code
 *
 * READ: MEDIA, MIME, EXT, CACHE
 * WRITE: MEDIA, FILE, array( STATUS, STATUSMESSAGE )
 *
 * @author Gerry Weissbach <*****@*****.**>
 * @param $media reference to the media id
 * @param $file reference to the file variable
 * @returns array(STATUS, STATUSMESSAGE)
 */
function checkFileStatus(&$media, &$file)
{
    global $MIME, $EXT, $CACHE;
    //media to local file
    if (preg_match('#^(https?)://#i', $media)) {
        //check hash
        if (substr(md5(auth_cookiesalt() . $media), 0, 6) != $_REQUEST['hash']) {
            return array(412, 'Precondition Failed');
        }
        //handle external images
        if (strncmp($MIME, 'image/', 6) == 0) {
            $file = media_get_from_URL($media, $EXT, $CACHE);
        }
        if (!$file) {
            //download failed - redirect to original URL
            return array(302, $media);
        }
    } else {
        $media = cleanID($media);
        if (empty($media)) {
            return array(400, 'Bad request');
        }
        //check permissions (namespace only)
        if (auth_quickaclcheck(getNS($media) . ':X') < AUTH_READ) {
            return array(403, 'Forbidden');
        }
        $file = mediaFN($media);
    }
    //check file existance
    if (!@file_exists($file)) {
        return array(404, 'Not Found');
    }
    return array(200, null);
}
Exemplo n.º 7
0
/**
 * Return a secret token to be used for CSRF attack prevention
 *
 * @author  Andreas Gohr <*****@*****.**>
 * @link    http://en.wikipedia.org/wiki/Cross-site_request_forgery
 * @link    http://christ1an.blogspot.com/2007/04/preventing-csrf-efficiently.html
 *
 * @return  string
 */
function getSecurityToken()
{
    /** @var Input $INPUT */
    global $INPUT;
    return PassHash::hmac('md5', session_id() . $INPUT->server->str('REMOTE_USER'), auth_cookiesalt());
}
Exemplo n.º 8
0
/**
 * Send a  new password
 *
 * This function handles both phases of the password reset:
 *
 *   - handling the first request of password reset
 *   - validating the password reset auth token
 *
 * @author Benoit Chesneau <*****@*****.**>
 * @author Chris Smith <*****@*****.**>
 * @author Andreas Gohr <*****@*****.**>
 *
 * @return bool true on success, false on any error
 */
function act_resendpwd()
{
    global $lang;
    global $conf;
    global $auth;
    if (!actionOK('resendpwd')) {
        return false;
    }
    if (!$auth) {
        return false;
    }
    // should not be able to get here without modPass being possible...
    if (!$auth->canDo('modPass')) {
        msg($lang['resendna'], -1);
        return false;
    }
    $token = preg_replace('/[^a-f0-9]+/', '', $_REQUEST['pwauth']);
    if ($token) {
        // we're in token phase
        $tfile = $conf['cachedir'] . '/' . $token[0] . '/' . $token . '.pwauth';
        if (!@file_exists($tfile)) {
            msg($lang['resendpwdbadauth'], -1);
            return false;
        }
        $user = io_readfile($tfile);
        @unlink($tfile);
        $userinfo = $auth->getUserData($user);
        if (!$userinfo['mail']) {
            msg($lang['resendpwdnouser'], -1);
            return false;
        }
        $pass = auth_pwgen();
        if (!$auth->triggerUserMod('modify', array($user, array('pass' => $pass)))) {
            msg('error modifying user data', -1);
            return false;
        }
        if (auth_sendPassword($user, $pass)) {
            msg($lang['resendpwdsuccess'], 1);
        } else {
            msg($lang['regmailfail'], -1);
        }
        return true;
    } else {
        // we're in request phase
        if (!$_POST['save']) {
            return false;
        }
        if (empty($_POST['login'])) {
            msg($lang['resendpwdmissing'], -1);
            return false;
        } else {
            $user = trim($auth->cleanUser($_POST['login']));
        }
        $userinfo = $auth->getUserData($user);
        if (!$userinfo['mail']) {
            msg($lang['resendpwdnouser'], -1);
            return false;
        }
        // generate auth token
        $token = md5(auth_cookiesalt() . $user);
        //secret but user based
        $tfile = $conf['cachedir'] . '/' . $token[0] . '/' . $token . '.pwauth';
        $url = wl('', array('do' => 'resendpwd', 'pwauth' => $token), true, '&');
        io_saveFile($tfile, $user);
        $text = rawLocale('pwconfirm');
        $text = str_replace('@DOKUWIKIURL@', DOKU_URL, $text);
        $text = str_replace('@FULLNAME@', $userinfo['name'], $text);
        $text = str_replace('@LOGIN@', $user, $text);
        $text = str_replace('@TITLE@', $conf['title'], $text);
        $text = str_replace('@CONFIRM@', $url, $text);
        if (mail_send($userinfo['name'] . ' <' . $userinfo['mail'] . '>', $lang['regpwmail'], $text, $conf['mailfrom'])) {
            msg($lang['resendpwdconfirm'], 1);
        } else {
            msg($lang['regmailfail'], -1);
        }
        return true;
    }
    return false;
    // never reached
}
Exemplo n.º 9
0
<?php

/**
 * CAPTCHA antispam plugin - Image generator
 *
 * @license    GPL 2 (http://www.gnu.org/licenses/gpl.html)
 * @author     Andreas Gohr <*****@*****.**>
 */
if (!defined('DOKU_INC')) {
    define('DOKU_INC', dirname(__FILE__) . '/../../../');
}
define('NOSESSION', true);
define('DOKU_DISABLE_GZIP_OUTPUT', 1);
require_once DOKU_INC . 'inc/init.php';
require_once DOKU_INC . 'inc/auth.php';
$ID = $_REQUEST['id'];
$plugin = plugin_load('helper', 'captcha');
$rand = PMA_blowfish_decrypt($_REQUEST['secret'], auth_cookiesalt());
$code = $plugin->_generateCAPTCHA($plugin->_fixedIdent(), $rand);
$plugin->_imageCAPTCHA($code);
//Setup VIM: ex: et ts=4 enc=utf-8 :
Exemplo n.º 10
0
 /**
  * Build a semi-secret fixed string identifying the current page and user
  *
  * This string is always the same for the current user when editing the same
  * page revision, but only for one day. Editing a page before midnight and saving
  * after midnight will result in a failed CAPTCHA once, but makes sure it can
  * not be reused which is especially important for the registration form where the
  * $ID usually won't change.
  *
  * @return string
  */
 public function _fixedIdent()
 {
     global $ID;
     $lm = @filemtime(wikiFN($ID));
     $td = date('Y-m-d');
     return auth_browseruid() . auth_cookiesalt() . $ID . $lm . $td;
 }
Exemplo n.º 11
0
/**
 * Return a secret token to be used for CSRF attack prevention
 *
 * @author  Andreas Gohr <*****@*****.**>
 * @link    http://en.wikipedia.org/wiki/Cross-site_request_forgery
 * @link    http://christ1an.blogspot.com/2007/04/preventing-csrf-efficiently.html
 * @return  string
 */
function getSecurityToken()
{
    return PassHash::hmac('md5', session_id() . $_SERVER['REMOTE_USER'], auth_cookiesalt());
}
Exemplo n.º 12
0
 /**
  * @param   string $user
  * @param   bool   $inbind authldap specific, true if in bind phase
  * @return  array containing user data or false
  */
 protected function _getUserData($user, $inbind = false)
 {
     global $conf;
     if (!$this->_openLDAP()) {
         return false;
     }
     // force superuser bind if wanted and not bound as superuser yet
     if ($this->getConf('binddn') && $this->getConf('bindpw') && $this->bound < 2) {
         // use superuser credentials
         if (!@ldap_bind($this->con, $this->getConf('binddn'), $this->getConf('bindpw'))) {
             $this->_debug('LDAP bind as superuser: '******'user'] = $user;
     $info['server'] = $this->getConf('server');
     //get info for given user
     $base = $this->_makeFilter($this->getConf('usertree'), $info);
     if ($this->getConf('userfilter')) {
         $filter = $this->_makeFilter($this->getConf('userfilter'), $info);
     } else {
         $filter = "(ObjectClass=*)";
     }
     $sr = $this->_ldapsearch($this->con, $base, $filter, $this->getConf('userscope'));
     $result = @ldap_get_entries($this->con, $sr);
     $this->_debug('LDAP user search: ' . htmlspecialchars(ldap_error($this->con)), 0, __LINE__, __FILE__);
     $this->_debug('LDAP search at: ' . htmlspecialchars($base . ' ' . $filter), 0, __LINE__, __FILE__);
     // Don't accept more or less than one response
     if (!is_array($result) || $result['count'] != 1) {
         return false;
         //user not found
     }
     $user_result = $result[0];
     ldap_free_result($sr);
     // general user info
     $info['dn'] = $user_result['dn'];
     $info['gid'] = $user_result['gidnumber'][0];
     $info['mail'] = $user_result['mail'][0];
     $info['name'] = $user_result['cn'][0];
     $info['grps'] = array();
     // overwrite if other attribs are specified.
     if (is_array($this->getConf('mapping'))) {
         foreach ($this->getConf('mapping') as $localkey => $key) {
             if (is_array($key)) {
                 // use regexp to clean up user_result
                 list($key, $regexp) = each($key);
                 if ($user_result[$key]) {
                     foreach ($user_result[$key] as $grpkey => $grp) {
                         if ($grpkey !== 'count' && preg_match($regexp, $grp, $match)) {
                             if ($localkey == 'grps') {
                                 $info[$localkey][] = $match[1];
                             } else {
                                 $info[$localkey] = $match[1];
                             }
                         }
                     }
                 }
             } else {
                 $info[$localkey] = $user_result[$key][0];
             }
         }
     }
     $user_result = array_merge($info, $user_result);
     //get groups for given user if grouptree is given
     if ($this->getConf('grouptree') || $this->getConf('groupfilter')) {
         $base = $this->_makeFilter($this->getConf('grouptree'), $user_result);
         $filter = $this->_makeFilter($this->getConf('groupfilter'), $user_result);
         $sr = $this->_ldapsearch($this->con, $base, $filter, $this->getConf('groupscope'), array($this->getConf('groupkey')));
         $this->_debug('LDAP group search: ' . htmlspecialchars(ldap_error($this->con)), 0, __LINE__, __FILE__);
         $this->_debug('LDAP search at: ' . htmlspecialchars($base . ' ' . $filter), 0, __LINE__, __FILE__);
         if (!$sr) {
             msg("LDAP: Reading group memberships failed", -1);
             $this->_debug('LDAP group search: ' . htmlspecialchars(ldap_error($this->con)), 0, __LINE__, __FILE__);
             return false;
         }
         $result = ldap_get_entries($this->con, $sr);
         ldap_free_result($sr);
         if (is_array($result)) {
             foreach ($result as $grp) {
                 if (!empty($grp[$this->getConf('groupkey')])) {
                     $group = $grp[$this->getConf('groupkey')];
                     if (is_array($group)) {
                         $group = $group[0];
                     } else {
                         $this->_debug('groupkey did not return a detailed result', 0, __LINE__, __FILE__);
                     }
                     if ($group === '') {
                         continue;
                     }
                     $this->_debug('LDAP usergroup: ' . htmlspecialchars($group), 0, __LINE__, __FILE__);
                     $info['grps'][] = $group;
                 }
             }
         }
     }
     // merge local groups into group list
     if ($this->users === null) {
         $this->_loadUserData();
     }
     if (is_array($this->users[$user]['grps'])) {
         foreach ($this->users[$user]['grps'] as $group) {
             if (in_array($group, $info['grps'])) {
                 continue;
             }
             $info['grps'][] = $group;
         }
     }
     return $info;
 }
Exemplo n.º 13
0
/**
 * Build a link to a media file
 *
 * Will return a link to the detail page if $direct is false
 *
 * The $more parameter should always be given as array, the function then
 * will strip default parameters to produce even cleaner URLs
 *
 * @param string  $id     the media file id or URL
 * @param mixed   $more   string or array with additional parameters
 * @param bool    $direct link to detail page if false
 * @param string  $sep    URL parameter separator
 * @param bool    $abs    Create an absolute URL
 * @return string
 */
function ml($id = '', $more = '', $direct = true, $sep = '&amp;', $abs = false)
{
    global $conf;
    $isexternalimage = preg_match('#^(https?|ftp)://#i', $id);
    if (!$isexternalimage) {
        $id = cleanID($id);
    }
    if (is_array($more)) {
        // add token for resized images
        if ($more['w'] || $more['h']) {
            $more['tok'] = media_get_token($id, $more['w'], $more['h']);
        }
        // strip defaults for shorter URLs
        if (isset($more['cache']) && $more['cache'] == 'cache') {
            unset($more['cache']);
        }
        if (!$more['w']) {
            unset($more['w']);
        }
        if (!$more['h']) {
            unset($more['h']);
        }
        if (isset($more['id']) && $direct) {
            unset($more['id']);
        }
        $more = buildURLparams($more, $sep);
    } else {
        $matches = array();
        if (preg_match_all('/\\b(w|h)=(\\d*)\\b/', $more, $matches, PREG_SET_ORDER)) {
            $resize = array('w' => 0, 'h' => 0);
            foreach ($matches as $match) {
                $resize[$match[1]] = $match[2];
            }
            $more .= $sep . 'tok=' . media_get_token($id, $resize['w'], $resize['h']);
        }
        $more = str_replace('cache=cache', '', $more);
        //skip default
        $more = str_replace(',,', ',', $more);
        $more = str_replace(',', $sep, $more);
    }
    if ($abs) {
        $xlink = DOKU_URL;
    } else {
        $xlink = DOKU_BASE;
    }
    // external URLs are always direct without rewriting
    if ($isexternalimage) {
        $xlink .= 'lib/exe/fetch.php';
        // add hash:
        $xlink .= '?hash=' . substr(md5(auth_cookiesalt() . $id), 0, 6);
        if ($more) {
            $xlink .= $sep . $more;
            $xlink .= $sep . 'media=' . rawurlencode($id);
        } else {
            $xlink .= $sep . 'media=' . rawurlencode($id);
        }
        return $xlink;
    }
    $id = idfilter($id);
    // decide on scriptname
    if ($direct) {
        if ($conf['userewrite'] == 1) {
            $script = '_media';
        } else {
            $script = 'lib/exe/fetch.php';
        }
    } else {
        if ($conf['userewrite'] == 1) {
            $script = '_detail';
        } else {
            $script = 'lib/exe/detail.php';
        }
    }
    // build URL based on rewrite mode
    if ($conf['userewrite']) {
        $xlink .= $script . '/' . $id;
        if ($more) {
            $xlink .= '?' . $more;
        }
    } else {
        if ($more) {
            $xlink .= $script . '?' . $more;
            $xlink .= $sep . 'media=' . $id;
        } else {
            $xlink .= $script . '?media=' . $id;
        }
    }
    return $xlink;
}
Exemplo n.º 14
0
<?php
/**
 * @license    GPL 2 (http://www.gnu.org/licenses/gpl.html)
 * @author     Andreas Gohr <*****@*****.**>
 *
 * Simple redirector script to avoid security warnings when embedding HTTP in SSL secured sites
 *
 * To avoid open redirects, a secret hash has to be provided
 */
if(!defined('DOKU_INC')) define('DOKU_INC', dirname(__FILE__) . '/../../../');
define('NOSESSION', true);
require_once(DOKU_INC . 'inc/init.php');
global $INPUT;

$url  = $INPUT->str('url');
$hash = $INPUT->str('hash');

if(!$url) die('sorry. no url');
if(!$hash) die('sorry. no hash');
if($hash != md5(auth_cookiesalt() . 'vshare' . $url)) die('sorry. wrong hash');

send_redirect($url);
Exemplo n.º 15
0
/**
 * Calculate a token to be used to verify fetch requests for resized or
 * cropped images have been internally generated - and prevent external
 * DDOS attacks via fetch
 *
 * @author Christopher Smith <*****@*****.**>
 *
 * @param string  $id    id of the image
 * @param int     $w     resize/crop width
 * @param int     $h     resize/crop height
 * @return string
 */
function media_get_token($id, $w, $h)
{
    // token is only required for modified images
    if ($w || $h || media_isexternal($id)) {
        $token = $id;
        if ($w) {
            $token .= '.' . $w;
        }
        if ($h) {
            $token .= '.' . $h;
        }
        return substr(PassHash::hmac('md5', $token, auth_cookiesalt()), 0, 6);
    }
    return '';
}
Exemplo n.º 16
0
 /**
  * Checks if the CAPTCHA string submitted is valid
  *
  * @author     Andreas Gohr <*****@*****.**>
  * @adaption   Esther Brunner <*****@*****.**>
  */
 function _captchaCheck()
 {
     if (plugin_isdisabled('captcha') || !($captcha = plugin_load('helper', 'captcha'))) {
         return;
     }
     // CAPTCHA is disabled or not available
     // do nothing if logged in user and no CAPTCHA required
     if (!$captcha->getConf('forusers') && $_SERVER['REMOTE_USER']) {
         return;
     }
     // compare provided string with decrypted captcha
     $rand = PMA_blowfish_decrypt($_REQUEST['plugin__captcha_secret'], auth_cookiesalt());
     $code = $captcha->_generateCAPTCHA($captcha->_fixedIdent(), $rand);
     if (!$_REQUEST['plugin__captcha_secret'] || !$_REQUEST['plugin__captcha'] || strtoupper($_REQUEST['plugin__captcha']) != $code) {
         // CAPTCHA test failed! Continue to edit instead of saving
         msg($captcha->getLang('testfailed'), -1);
         if ($_REQUEST['comment'] == 'save') {
             $_REQUEST['comment'] = 'edit';
         } elseif ($_REQUEST['comment'] == 'add') {
             $_REQUEST['comment'] = 'show';
         }
     }
     // if we arrive here it was a valid save
 }
Exemplo n.º 17
0
/**
 * Return a secret token to be used for CSRF attack prevention
 *
 * @author  Andreas Gohr <*****@*****.**>
 * @link    http://en.wikipedia.org/wiki/Cross-site_request_forgery
 * @link    http://christ1an.blogspot.com/2007/04/preventing-csrf-efficiently.html
 * @return  string
 */
function getSecurityToken()
{
    return md5(auth_cookiesalt() . session_id());
}
Exemplo n.º 18
0
 /**
  * Render the flash player
  */
 function render($mode, Doku_Renderer $R, $data)
 {
     if ($mode != 'xhtml') {
         return false;
     }
     if (is_null($data)) {
         return false;
     }
     if ($data['align'] == 0) {
         $align = 'none';
     }
     if ($data['align'] == 1) {
         $align = 'right';
     }
     if ($data['align'] == 2) {
         $align = 'left';
     }
     if ($data['align'] == 3) {
         $align = 'center';
     }
     if ($data['title']) {
         $title = ' title="' . hsc($data['title']) . '"';
     }
     if (is_a($R, 'renderer_plugin_dw2pdf')) {
         // Output for PDF renderer
         $R->doc .= '<div class="vshare__' . $align . '"
                          width="' . $data['width'] . '"
                          height="' . $data['height'] . '">';
         $R->doc .= '<a href="' . $data['url'] . '" class="vshare">';
         $R->doc .= '<img src="' . DOKU_BASE . 'lib/plugins/vshare/video.png" />';
         $R->doc .= '</a>';
         $R->doc .= '<br />';
         $R->doc .= '<a href="' . $data['url'] . '" class="vshare">';
         $R->doc .= $data['title'] ? hsc($data['title']) : 'Video';
         $R->doc .= '</a>';
         $R->doc .= '</div>';
     } else {
         // use redirector for HTTP embeds on SSL sites
         if (is_ssl() && substr($data['url'], 0, 7) == 'http://') {
             $data['url'] = DOKU_BASE . 'lib/plugins/vshare/redir.php' . '?url=' . rawurlencode($data['url']) . '&hash=' . md5(auth_cookiesalt() . 'vshare' . $data['url']);
         }
         // Normal output
         if ($data['type'] == 'flash') {
             // embed flash
             $R->doc .= '<div class="vshare__' . $align . '"' . $title . '>';
             $R->doc .= html_flashobject($data['url'], $data['width'], $data['height'], $data['vars'], $data['vars']);
             $R->doc .= '</div>';
         } else {
             // embed iframe
             $R->doc .= '<iframe ';
             $R->doc .= buildAttributes(array('src' => $data['url'], 'height' => $data['height'], 'width' => $data['width'], 'class' => 'vshare__' . $align, 'allowfullscreen' => '', 'frameborder' => 0, 'scrolling' => 'no'));
             $R->doc .= '>' . hsc($data['title']) . '</iframe>';
         }
     }
 }
Exemplo n.º 19
0
/**
 * Calculate a token to be used to verify fetch requests for resized or
 * cropped images have been internally generated - and prevent external
 * DDOS attacks via fetch
 *
 * @param string  $id    id of the image
 * @param int     $w     resize/crop width
 * @param int     $h     resize/crop height
 *
 * @author Christopher Smith <*****@*****.**>
 */
function media_get_token($id, $w, $h)
{
    // token is only required for modified images
    if ($w || $h) {
        $token = auth_cookiesalt() . $id;
        if ($w) {
            $token .= '.' . $w;
        }
        if ($h) {
            $token .= '.' . $h;
        }
        return substr(md5($token), 0, 6);
    }
    return '';
}
Exemplo n.º 20
0
/**
 * Build a link to a media file
 *
 * Will return a link to the detail page if $direct is false
 *
 * The $more parameter should always be given as array, the function then
 * will strip default parameters to produce even cleaner URLs
 *
 * @param string  $id     the media file id or URL
 * @param mixed   $more   string or array with additional parameters
 * @param bool    $direct link to detail page if false
 * @param string  $sep    URL parameter separator
 * @param bool    $abs    Create an absolute URL
 * @return string
 */
function ml($id = '', $more = '', $direct = true, $sep = '&amp;', $abs = false)
{
    global $conf;
    if (is_array($more)) {
        // strip defaults for shorter URLs
        if (isset($more['cache']) && $more['cache'] == 'cache') {
            unset($more['cache']);
        }
        if (!$more['w']) {
            unset($more['w']);
        }
        if (!$more['h']) {
            unset($more['h']);
        }
        if (isset($more['id']) && $direct) {
            unset($more['id']);
        }
        $more = buildURLparams($more, $sep);
    } else {
        $more = str_replace('cache=cache', '', $more);
        //skip default
        $more = str_replace(',,', ',', $more);
        $more = str_replace(',', $sep, $more);
    }
    if ($abs) {
        $xlink = DOKU_URL;
    } else {
        $xlink = DOKU_BASE;
    }
    // external URLs are always direct without rewriting
    if (preg_match('#^(https?|ftp)://#i', $id)) {
        $xlink .= 'lib/exe/fetch.php';
        // add hash:
        $xlink .= '?hash=' . substr(md5(auth_cookiesalt() . $id), 0, 6);
        if ($more) {
            $xlink .= $sep . $more;
            $xlink .= $sep . 'media=' . rawurlencode($id);
        } else {
            $xlink .= $sep . 'media=' . rawurlencode($id);
        }
        return $xlink;
    }
    $id = idfilter($id);
    // decide on scriptname
    if ($direct) {
        if ($conf['userewrite'] == 1) {
            $script = '_media';
        } else {
            $script = 'lib/exe/fetch.php';
        }
    } else {
        if ($conf['userewrite'] == 1) {
            $script = '_detail';
        } else {
            $script = 'lib/exe/detail.php';
        }
    }
    // build URL based on rewrite mode
    if ($conf['userewrite']) {
        $xlink .= $script . '/' . $id;
        if ($more) {
            $xlink .= '?' . $more;
        }
    } else {
        if ($more) {
            $xlink .= $script . '?' . $more;
            $xlink .= $sep . 'media=' . $id;
        } else {
            $xlink .= $script . '?media=' . $id;
        }
    }
    return $xlink;
}
Exemplo n.º 21
0
//get input
$MEDIA = stripctl(getID('media', false));
// no cleaning except control chars - maybe external
$CACHE = calc_cache($_REQUEST['cache']);
$WIDTH = (int) $_REQUEST['w'];
$HEIGHT = (int) $_REQUEST['h'];
list($EXT, $MIME, $DL) = mimetype($MEDIA, false);
if ($EXT === false) {
    $EXT = 'unknown';
    $MIME = 'application/octet-stream';
    $DL = true;
}
//media to local file
if (preg_match('#^(https?)://#i', $MEDIA)) {
    //check hash
    if (substr(md5(auth_cookiesalt() . $MEDIA), 0, 6) != $_REQUEST['hash']) {
        header("HTTP/1.0 412 Precondition Failed");
        print 'Precondition Failed';
        exit;
    }
    //handle external images
    if (strncmp($MIME, 'image/', 6) == 0) {
        $FILE = media_get_from_URL($MEDIA, $EXT, $CACHE);
    }
    if (!$FILE) {
        //download failed - redirect to original URL
        header('Location: ' . $MEDIA);
        exit;
    }
} else {
    $MEDIA = cleanID($MEDIA);
Exemplo n.º 22
0
 /**
  * Definition of the function modifyUser in order to modify the password
  *
  * @param   string $user    nick of the user to be changed
  * @param   array  $changes array of field/value pairs to be changed (password will be clear text)
  * @return  bool   true on success, false on error
  */
 function modifyUser($user, $changes)
 {
     // open the connection to the ldap
     if (!$this->_openLDAP()) {
         $this->_debug('LDAP cannot connect: ' . htmlspecialchars(ldap_error($this->con)), 0, __LINE__, __FILE__);
         return false;
     }
     // find the information about the user, in particular the "dn"
     $info = $this->getUserData($user, true);
     if (empty($info['dn'])) {
         $this->_debug('LDAP cannot find your user dn', 0, __LINE__, __FILE__);
         return false;
     }
     $dn = $info['dn'];
     // find the old password of the user
     list($loginuser, $loginsticky, $loginpass) = auth_getCookie();
     if ($loginuser !== null) {
         // the user is currently logged in
         $secret = auth_cookiesalt(!$loginsticky, true);
         $pass = auth_decrypt($loginpass, $secret);
         // bind with the ldap
         if (!@ldap_bind($this->con, $dn, $pass)) {
             $this->_debug('LDAP user bind failed: ' . htmlspecialchars($dn) . ': ' . htmlspecialchars(ldap_error($this->con)), 0, __LINE__, __FILE__);
             return false;
         }
     } elseif ($this->getConf('binddn') && $this->getConf('bindpw')) {
         // we are changing the password on behalf of the user (eg: forgotten password)
         // bind with the superuser ldap
         if (!@ldap_bind($this->con, $this->getConf('binddn'), conf_decodeString($this->getConf('bindpw')))) {
             $this->_debug('LDAP bind as superuser: '******'pass']);
     // change the password
     if (!@ldap_mod_replace($this->con, $dn, array('userpassword' => $hash))) {
         $this->_debug('LDAP mod replace failed: ' . htmlspecialchars($dn) . ': ' . htmlspecialchars(ldap_error($this->con)), 0, __LINE__, __FILE__);
         return false;
     }
     return true;
 }
Exemplo n.º 23
0
<?php

//fix for Opera XMLHttpRequests
if (!count($_POST) && $HTTP_RAW_POST_DATA) {
    parse_str($HTTP_RAW_POST_DATA, $_POST);
}
if (!defined('DOKU_INC')) {
    define('DOKU_INC', dirname(__FILE__) . '/../../../');
}
require_once DOKU_INC . 'inc/init.php';
require_once DOKU_INC . 'inc/common.php';
require_once DOKU_INC . 'inc/pageutils.php';
require_once DOKU_INC . 'inc/auth.php';
//close sesseion
session_write_close();
header('Content-Type: text/plain; charset=utf-8');
$text = $_POST['text'];
$id = $_POST['id'];
$user = $_SERVER['REMOTE_USER'];
$sig = md5($id . $user . trim($text) . auth_cookiesalt());
echo '{{', $text, ' $$', $sig, '--', $user, '$$}}';
Exemplo n.º 24
0
 function test_ml_imgresize_array_external()
 {
     global $conf;
     $conf['useslash'] = 0;
     $conf['userewrite'] = 0;
     $ids = array('https://example.com/lib/tpl/dokuwiki/images/logo.png', 'http://example.com/lib/tpl/dokuwiki/images/logo.png', 'ftp://example.com/lib/tpl/dokuwiki/images/logo.png');
     $w = 80;
     $args = array('w' => $w);
     foreach ($ids as $id) {
         $tok = media_get_token($id, $w, 0);
         $hash = substr(PassHash::hmac('md5', $id, auth_cookiesalt()), 0, 6);
         $expect = DOKU_BASE . $this->script . '?w=' . $w . '&amp;tok=' . $tok . '&amp;media=' . rawurlencode($id);
         $this->assertEquals($expect, ml($id, $args));
     }
     $h = 50;
     $args = array('h' => $h);
     $tok = media_get_token($id, $h, 0);
     $expect = DOKU_BASE . $this->script . '?h=' . $h . '&amp;tok=' . $tok . '&amp;media=' . rawurlencode($id);
     $this->assertEquals($expect, ml($id, $args));
     $w = 80;
     $h = 50;
     $args = array('w' => $w, 'h' => $h);
     $tok = media_get_token($id, $w, $h);
     $expect = DOKU_BASE . $this->script . '?w=' . $w . '&amp;h=' . $h . '&amp;tok=' . $tok . '&amp;media=' . rawurlencode($id);
     $this->assertEquals($expect, ml($id, $args));
 }
Exemplo n.º 25
0
 function process_preregister_check(&$event, $param)
 {
     global $ACT, $INPUT;
     if ($ACT != 'preregistercheck') {
         return;
     }
     if ($_GET && $_GET['prereg']) {
         $md5 = $INPUT->str('prereg');
         if (!preg_match("/^(\\w){32}\$/", $md5, $matches)) {
             return;
         }
         echo $this->getLang('registering') . $md5;
         $this->process_registration($md5);
         $event->preventDefault();
         return;
     }
     $event->preventDefault();
     if (!$_POST['login']) {
         msg('missing login: please fill out all fields');
         return;
     } else {
         if (!$_POST['fullname']) {
             msg('missing Real Name: please fill out all fields');
             return;
         }
     }
     if ($this->captcha == 'captcha') {
         $captcha = $this->loadHelper('captcha', true);
         if (!$captcha->check()) {
             return;
         }
     }
     if ($this->is_user($_REQUEST['login'])) {
         return;
     }
     // name already taken
     if ($this->captcha == 'builtin') {
         $failed = false;
         if (!isset($_REQUEST['card'])) {
             echo '<h4>' . $this->getLang('cards_nomatch') . '</h4>';
             return;
         }
         foreach ($_REQUEST['card'] as $card) {
             if (strpos($_REQUEST['sel'], $card) === false) {
                 $failed = true;
                 break;
             }
         }
         if ($failed) {
             echo '<h4>' . $this->getLang('cards_nomatch') . '</h4>';
             return;
         }
     }
     $t = time();
     $salt = auth_cookiesalt();
     $index = md5(microtime() . $salt);
     $url = DOKU_URL . 'doku.php?' . htmlentities($INPUT->str('id')) . '&do=preregistercheck&prereg=' . $index;
     if ($this->getConf('send_confirm')) {
         $valid_email = true;
         if ($this->send_link($_REQUEST['email'], $url, $valid_email)) {
             echo $this->getLang('confirmation');
         } else {
             if ($valid_email) {
                 echo $this->getLang('email_problem');
             }
         }
     } else {
         echo "<a href='{$url}'>{$url}</a><br /><br />\n";
         echo $this->getLang('screen_confirm');
     }
     $data = unserialize(io_readFile($this->metaFn, false));
     if (!$data) {
         $data = array();
     }
     $data[$index] = $_POST;
     $data[$index]['savetime'] = $t;
     io_saveFile($this->metaFn, serialize($data));
 }
Exemplo n.º 26
0
 /**
  * Return user info
  *
  * Returns info about the given user needs to contain
  * at least these fields:
  *
  * name string  full name of the user
  * mail string  email addres of the user
  * grps array   list of groups the user is in
  *
  * This LDAP specific function returns the following
  * addional fields:
  *
  * dn     string  distinguished name (DN)
  * uid    string  Posix User ID
  * inbind bool    for internal use - avoid loop in binding
  *
  * @author  Andreas Gohr <*****@*****.**>
  * @author  Trouble
  * @author  Dan Allen <*****@*****.**>
  * @author  <*****@*****.**>
  * @author  Stephane Chazelas <*****@*****.**>
  * @return  array containing user data or false
  */
 function getUserData($user, $inbind = false)
 {
     global $conf;
     if (!$this->_openLDAP()) {
         return false;
     }
     // force superuser bind if wanted and not bound as superuser yet
     if ($this->cnf['binddn'] && $this->cnf['bindpw'] && $this->bound < 2) {
         // use superuser credentials
         if (!@ldap_bind($this->con, $this->cnf['binddn'], $this->cnf['bindpw'])) {
             if ($this->cnf['debug']) {
                 msg('LDAP bind as superuser: '******'auth']['pass'], auth_cookiesalt());
         $this->checkPass($_SESSION[DOKU_COOKIE]['auth']['user'], $pass);
     }
     $info['user'] = $user;
     $info['server'] = $this->cnf['server'];
     //get info for given user
     $base = $this->_makeFilter($this->cnf['usertree'], $info);
     if (!empty($this->cnf['userfilter'])) {
         $filter = $this->_makeFilter($this->cnf['userfilter'], $info);
     } else {
         $filter = "(ObjectClass=*)";
     }
     $sr = $this->_ldapsearch($this->con, $base, $filter, $this->cnf['userscope']);
     $result = @ldap_get_entries($this->con, $sr);
     if ($this->cnf['debug']) {
         msg('LDAP user search: ' . htmlspecialchars(ldap_error($this->con)), 0, __LINE__, __FILE__);
         msg('LDAP search at: ' . htmlspecialchars($base . ' ' . $filter), 0, __LINE__, __FILE__);
     }
     // Don't accept more or less than one response
     if (!is_array($result) || $result['count'] != 1) {
         return false;
         //user not found
     }
     $user_result = $result[0];
     ldap_free_result($sr);
     // general user info
     $info['dn'] = $user_result['dn'];
     $info['gid'] = $user_result['gidnumber'][0];
     $info['mail'] = $user_result['mail'][0];
     $info['name'] = $user_result['cn'][0];
     $info['grps'] = array();
     // overwrite if other attribs are specified.
     if (is_array($this->cnf['mapping'])) {
         foreach ($this->cnf['mapping'] as $localkey => $key) {
             if (is_array($key)) {
                 // use regexp to clean up user_result
                 list($key, $regexp) = each($key);
                 if ($user_result[$key]) {
                     foreach ($user_result[$key] as $grp) {
                         if (preg_match($regexp, $grp, $match)) {
                             if ($localkey == 'grps') {
                                 $info[$localkey][] = $match[1];
                             } else {
                                 $info[$localkey] = $match[1];
                             }
                         }
                     }
                 }
             } else {
                 $info[$localkey] = $user_result[$key][0];
             }
         }
     }
     $user_result = array_merge($info, $user_result);
     //get groups for given user if grouptree is given
     if ($this->cnf['grouptree'] || $this->cnf['groupfilter']) {
         $base = $this->_makeFilter($this->cnf['grouptree'], $user_result);
         $filter = $this->_makeFilter($this->cnf['groupfilter'], $user_result);
         $sr = $this->_ldapsearch($this->con, $base, $filter, $this->cnf['groupscope'], array($this->cnf['groupkey']));
         if ($this->cnf['debug']) {
             msg('LDAP group search: ' . htmlspecialchars(ldap_error($this->con)), 0, __LINE__, __FILE__);
             msg('LDAP search at: ' . htmlspecialchars($base . ' ' . $filter), 0, __LINE__, __FILE__);
         }
         if (!$sr) {
             msg("LDAP: Reading group memberships failed", -1);
             return false;
         }
         $result = ldap_get_entries($this->con, $sr);
         ldap_free_result($sr);
         if (is_array($result)) {
             foreach ($result as $grp) {
                 if (!empty($grp[$this->cnf['groupkey']][0])) {
                     if ($this->cnf['debug']) {
                         msg('LDAP usergroup: ' . htmlspecialchars($grp[$this->cnf['groupkey']][0]), 0, __LINE__, __FILE__);
                     }
                     $info['grps'][] = $grp[$this->cnf['groupkey']][0];
                 }
             }
         }
     }
     // always add the default group to the list of groups
     if (!in_array($conf['defaultgroup'], $info['grps'])) {
         $info['grps'][] = $conf['defaultgroup'];
     }
     return $info;
 }
Exemplo n.º 27
0
/**
 * Send a  new password
 *
 * This function handles both phases of the password reset:
 *
 *   - handling the first request of password reset
 *   - validating the password reset auth token
 *
 * @author Benoit Chesneau <*****@*****.**>
 * @author Chris Smith <*****@*****.**>
 * @author Andreas Gohr <*****@*****.**>
 *
 * @return bool true on success, false on any error
 */
function act_resendpwd()
{
    global $lang;
    global $conf;
    global $auth;
    if (!actionOK('resendpwd')) {
        msg($lang['resendna'], -1);
        return false;
    }
    $token = preg_replace('/[^a-f0-9]+/', '', $_REQUEST['pwauth']);
    if ($token) {
        // we're in token phase - get user info from token
        $tfile = $conf['cachedir'] . '/' . $token[0] . '/' . $token . '.pwauth';
        if (!@file_exists($tfile)) {
            msg($lang['resendpwdbadauth'], -1);
            unset($_REQUEST['pwauth']);
            return false;
        }
        // token is only valid for 3 days
        if (time() - filemtime($tfile) > 3 * 60 * 60 * 24) {
            msg($lang['resendpwdbadauth'], -1);
            unset($_REQUEST['pwauth']);
            @unlink($tfile);
            return false;
        }
        $user = io_readfile($tfile);
        $userinfo = $auth->getUserData($user);
        if (!$userinfo['mail']) {
            msg($lang['resendpwdnouser'], -1);
            return false;
        }
        if (!$conf['autopasswd']) {
            // we let the user choose a password
            // password given correctly?
            if (!isset($_REQUEST['pass']) || $_REQUEST['pass'] == '') {
                return false;
            }
            if ($_REQUEST['pass'] != $_REQUEST['passchk']) {
                msg($lang['regbadpass'], -1);
                return false;
            }
            $pass = $_REQUEST['pass'];
            if (!$auth->triggerUserMod('modify', array($user, array('pass' => $pass)))) {
                msg('error modifying user data', -1);
                return false;
            }
        } else {
            // autogenerate the password and send by mail
            $pass = auth_pwgen();
            if (!$auth->triggerUserMod('modify', array($user, array('pass' => $pass)))) {
                msg('error modifying user data', -1);
                return false;
            }
            if (auth_sendPassword($user, $pass)) {
                msg($lang['resendpwdsuccess'], 1);
            } else {
                msg($lang['regmailfail'], -1);
            }
        }
        @unlink($tfile);
        return true;
    } else {
        // we're in request phase
        if (!$_POST['save']) {
            return false;
        }
        if (empty($_POST['login'])) {
            msg($lang['resendpwdmissing'], -1);
            return false;
        } else {
            $user = trim($auth->cleanUser($_POST['login']));
        }
        $userinfo = $auth->getUserData($user);
        if (!$userinfo['mail']) {
            msg($lang['resendpwdnouser'], -1);
            return false;
        }
        // generate auth token
        $token = md5(auth_cookiesalt() . $user);
        //secret but user based
        $tfile = $conf['cachedir'] . '/' . $token[0] . '/' . $token . '.pwauth';
        $url = wl('', array('do' => 'resendpwd', 'pwauth' => $token), true, '&');
        io_saveFile($tfile, $user);
        $text = rawLocale('pwconfirm');
        $text = str_replace('@DOKUWIKIURL@', DOKU_URL, $text);
        $text = str_replace('@FULLNAME@', $userinfo['name'], $text);
        $text = str_replace('@LOGIN@', $user, $text);
        $text = str_replace('@TITLE@', $conf['title'], $text);
        $text = str_replace('@CONFIRM@', $url, $text);
        if (empty($conf['mailprefix'])) {
            $subject = $lang['regpwmail'];
        } else {
            $subject = '[' . $conf['mailprefix'] . '] ' . $lang['regpwmail'];
        }
        if (mail_send($userinfo['name'] . ' <' . $userinfo['mail'] . '>', $subject, $text, $conf['mailfrom'])) {
            msg($lang['resendpwdconfirm'], 1);
        } else {
            msg($lang['regmailfail'], -1);
        }
        return true;
    }
    return false;
    // never reached
}
Exemplo n.º 28
0
/**
 * Send a  new password
 *
 * This function handles both phases of the password reset:
 *
 *   - handling the first request of password reset
 *   - validating the password reset auth token
 *
 * @author Benoit Chesneau <*****@*****.**>
 * @author Chris Smith <*****@*****.**>
 * @author Andreas Gohr <*****@*****.**>
 *
 * @return bool true on success, false on any error
 */
function act_resendpwd()
{
    global $lang;
    global $conf;
    /* @var auth_basic $auth */
    global $auth;
    /* @var Input $INPUT */
    global $INPUT;
    if (!actionOK('resendpwd')) {
        msg($lang['resendna'], -1);
        return false;
    }
    $token = preg_replace('/[^a-f0-9]+/', '', $INPUT->str('pwauth'));
    if ($token) {
        // we're in token phase - get user info from token
        $tfile = $conf['cachedir'] . '/' . $token[0] . '/' . $token . '.pwauth';
        if (!@file_exists($tfile)) {
            msg($lang['resendpwdbadauth'], -1);
            $INPUT->remove('pwauth');
            return false;
        }
        // token is only valid for 3 days
        if (time() - filemtime($tfile) > 3 * 60 * 60 * 24) {
            msg($lang['resendpwdbadauth'], -1);
            $INPUT->remove('pwauth');
            @unlink($tfile);
            return false;
        }
        $user = io_readfile($tfile);
        $userinfo = $auth->getUserData($user);
        if (!$userinfo['mail']) {
            msg($lang['resendpwdnouser'], -1);
            return false;
        }
        if (!$conf['autopasswd']) {
            // we let the user choose a password
            $pass = $INPUT->str('pass');
            // password given correctly?
            if (!$pass) {
                return false;
            }
            if ($pass != $INPUT->str('passchk')) {
                msg($lang['regbadpass'], -1);
                return false;
            }
            // change it
            if (!$auth->triggerUserMod('modify', array($user, array('pass' => $pass)))) {
                msg('error modifying user data', -1);
                return false;
            }
        } else {
            // autogenerate the password and send by mail
            $pass = auth_pwgen();
            if (!$auth->triggerUserMod('modify', array($user, array('pass' => $pass)))) {
                msg('error modifying user data', -1);
                return false;
            }
            if (auth_sendPassword($user, $pass)) {
                msg($lang['resendpwdsuccess'], 1);
            } else {
                msg($lang['regmailfail'], -1);
            }
        }
        @unlink($tfile);
        return true;
    } else {
        // we're in request phase
        if (!$INPUT->post->bool('save')) {
            return false;
        }
        if (!$INPUT->post->str('login')) {
            msg($lang['resendpwdmissing'], -1);
            return false;
        } else {
            $user = trim($auth->cleanUser($INPUT->post->str('login')));
        }
        $userinfo = $auth->getUserData($user);
        if (!$userinfo['mail']) {
            msg($lang['resendpwdnouser'], -1);
            return false;
        }
        // generate auth token
        $token = md5(auth_cookiesalt() . $user);
        //secret but user based
        $tfile = $conf['cachedir'] . '/' . $token[0] . '/' . $token . '.pwauth';
        $url = wl('', array('do' => 'resendpwd', 'pwauth' => $token), true, '&');
        io_saveFile($tfile, $user);
        $text = rawLocale('pwconfirm');
        $trep = array('FULLNAME' => $userinfo['name'], 'LOGIN' => $user, 'CONFIRM' => $url);
        $mail = new Mailer();
        $mail->to($userinfo['name'] . ' <' . $userinfo['mail'] . '>');
        $mail->subject($lang['regpwmail']);
        $mail->setBody($text, $trep);
        if ($mail->send()) {
            msg($lang['resendpwdconfirm'], 1);
        } else {
            msg($lang['regmailfail'], -1);
        }
        return true;
    }
    // never reached
}
Exemplo n.º 29
0
 /**
  * Build a semi-secret fixed string identifying the current page and user
  *
  * This string is always the same for the current user when editing the same
  * page revision.
  */
 function _fixedIdent()
 {
     global $ID;
     $lm = @filemtime(wikiFN($ID));
     return auth_browseruid() . auth_cookiesalt() . $ID . $lm;
 }