public function testEncryptDecryptChars() { $secret = '$%ÄüfuDFRR'; $string = 'abcDEF012!"§$%&/()=?`´"\',.;:-_#+*~öäüÖÄÜ^°²³'; $this->assertEquals( $string, PMA_blowfish_decrypt(PMA_blowfish_encrypt($string, $secret), $secret) ); }
/** * Returns the HTML to display the CAPTCHA with the chosen method */ public function getHTML() { global $ID; $rand = (double) rand(0, 10000) / 10000; if ($this->getConf('mode') == 'math') { $code = $this->_generateMATH($this->_fixedIdent(), $rand); $code = $code[0]; $text = $this->getLang('fillmath'); } elseif ($this->getConf('mode') == 'question') { $text = $this->getConf('question'); } else { $code = $this->_generateCAPTCHA($this->_fixedIdent(), $rand); $text = $this->getLang('fillcaptcha'); } $secret = PMA_blowfish_encrypt($rand, auth_cookiesalt()); $txtlen = $this->getConf('lettercount'); $out = ''; $out .= '<div id="plugin__captcha_wrapper">'; $out .= '<input type="hidden" name="' . $this->field_sec . '" value="' . hsc($secret) . '" />'; $out .= '<label for="plugin__captcha">' . $text . '</label> '; switch ($this->getConf('mode')) { case 'math': case 'text': $out .= $this->_obfuscateText($code); break; case 'js': $out .= '<span id="plugin__captcha_code">' . $this->_obfuscateText($code) . '</span>'; break; case 'image': $out .= '<img src="' . DOKU_BASE . 'lib/plugins/captcha/img.php?secret=' . rawurlencode($secret) . '&id=' . $ID . '" ' . ' width="' . $this->getConf('width') . '" height="' . $this->getConf('height') . '" alt="" /> '; break; case 'audio': $out .= '<img src="' . DOKU_BASE . 'lib/plugins/captcha/img.php?secret=' . rawurlencode($secret) . '&id=' . $ID . '" ' . ' width="' . $this->getConf('width') . '" height="' . $this->getConf('height') . '" alt="" /> '; $out .= '<a href="' . DOKU_BASE . 'lib/plugins/captcha/wav.php?secret=' . rawurlencode($secret) . '&id=' . $ID . '"' . ' class="JSnocheck" title="' . $this->getLang('soundlink') . '">'; $out .= '<img src="' . DOKU_BASE . 'lib/plugins/captcha/sound.png" width="16" height="16"' . ' alt="' . $this->getLang('soundlink') . '" /></a>'; break; case 'figlet': require_once dirname(__FILE__) . '/figlet.php'; $figlet = new phpFiglet(); if ($figlet->loadfont(dirname(__FILE__) . '/figlet.flf')) { $out .= '<pre>'; $out .= rtrim($figlet->fetch($code)); $out .= '</pre>'; } else { msg('Failed to load figlet.flf font file. CAPTCHA broken', -1); } break; } $out .= ' <input type="text" size="' . $txtlen . '" name="' . $this->field_in . '" class="edit" /> '; // add honeypot field $out .= '<label class="no">' . $this->getLang('honeypot') . '<input type="text" name="' . $this->field_hp . '" /></label>'; $out .= '</div>'; return $out; }
} } // end if // here $nopass could be == 1 if (empty($error_msg)) { // Defines the url to return to in case of error in the sql statement $common_url_query = PMA_generate_common_url(); $err_url = 'user_password.php?' . $common_url_query; $hashing_function = (PMA_MYSQL_INT_VERSION >= 40102 && !empty($pw_hash) && $pw_hash == 'old' ? 'OLD_' : '') . 'PASSWORD'; $sql_query = 'SET password = '******'' ? '\'\'' : $hashing_function . '(\'' . preg_replace('@.@s', '*', $pma_pw) . '\')'); $local_query = 'SET password = '******'' ? '\'\'' : $hashing_function . '(\'' . PMA_sqlAddslashes($pma_pw) . '\')'); $result = @PMA_DBI_try_query($local_query) or PMA_mysqlDie(PMA_DBI_getError(), $sql_query, FALSE, $err_url); // Changes password cookie if required // Duration = till the browser is closed for password (we don't want this to be saved) if ($cfg['Server']['auth_type'] == 'cookie') { PMA_setCookie('pmaPass-' . $server, PMA_blowfish_encrypt($pma_pw, $GLOBALS['cfg']['blowfish_secret'])); } // end if // For http auth. mode, the "back" link will also enforce new // authentication $http_logout = $cfg['Server']['auth_type'] == 'http' ? '&old_usr=relog' : ''; // Displays the page require_once './libraries/header.inc.php'; echo '<h1>' . $strChangePassword . '</h1>' . "\n\n"; $show_query = 'y'; PMA_showMessage($strUpdateProfileMessage); ?> <a href="index.php?<?php echo $common_url_query . $http_logout; ?> " target="_parent">
/** * Update user profile * * @author Christopher Smith <*****@*****.**> */ function updateprofile() { global $conf; global $INFO; global $lang; global $auth; if (!$auth) { return false; } if (empty($_POST['save'])) { return false; } if (!checkSecurityToken()) { return false; } // should not be able to get here without Profile being possible... if (!$auth->canDo('Profile')) { msg($lang['profna'], -1); return false; } if ($_POST['newpass'] != $_POST['passchk']) { msg($lang['regbadpass'], -1); // complain about misspelled passwords return false; } //clean fullname and email $_POST['fullname'] = trim(preg_replace('/[\\x00-\\x1f:<>&%,;]+/', '', $_POST['fullname'])); $_POST['email'] = trim(preg_replace('/[\\x00-\\x1f:<>&%,;]+/', '', $_POST['email'])); if (empty($_POST['fullname']) && $auth->canDo('modName') || empty($_POST['email']) && $auth->canDo('modMail')) { msg($lang['profnoempty'], -1); return false; } if (!mail_isvalid($_POST['email']) && $auth->canDo('modMail')) { msg($lang['regbadmail'], -1); return false; } if ($_POST['fullname'] != $INFO['userinfo']['name'] && $auth->canDo('modName')) { $changes['name'] = $_POST['fullname']; } if ($_POST['email'] != $INFO['userinfo']['mail'] && $auth->canDo('modMail')) { $changes['mail'] = $_POST['email']; } if (!empty($_POST['newpass']) && $auth->canDo('modPass')) { $changes['pass'] = $_POST['newpass']; } if (!count($changes)) { msg($lang['profnochange'], -1); return false; } if ($conf['profileconfirm']) { if (!$auth->checkPass($_SERVER['REMOTE_USER'], $_POST['oldpass'])) { msg($lang['badlogin'], -1); return false; } } if ($result = $auth->triggerUserMod('modify', array($_SERVER['REMOTE_USER'], $changes))) { // update cookie and session with the changed data $cookie = base64_decode($_COOKIE[DOKU_COOKIE]); list($user, $sticky, $pass) = explode('|', $cookie, 3); if ($changes['pass']) { $pass = PMA_blowfish_encrypt($changes['pass'], auth_cookiesalt()); } auth_setCookie($_SERVER['REMOTE_USER'], $pass, (bool) $sticky); return true; } }
/** * Set the user and password after last checkings if required * * @global array the valid servers settings * @global integer the id of the current server * @global array the current server settings * @global string the current username * @global string the current password * @global boolean whether the login/password pair has been grabbed from * a cookie or not * * @return boolean always true * * @access public */ function PMA_auth_set_user() { global $cfg, $server; global $PHP_AUTH_USER, $PHP_AUTH_PW, $pma_auth_server; global $from_cookie; // Ensures valid authentication mode, 'only_db', bookmark database and // table names and relation table name are used if ($cfg['Server']['user'] != $PHP_AUTH_USER) { foreach ($cfg['Servers'] as $idx => $current) { if ($current['host'] == $cfg['Server']['host'] && $current['port'] == $cfg['Server']['port'] && $current['socket'] == $cfg['Server']['socket'] && $current['ssl'] == $cfg['Server']['ssl'] && $current['connect_type'] == $cfg['Server']['connect_type'] && $current['user'] == $PHP_AUTH_USER) { $server = $idx; $cfg['Server'] = $current; break; } } // end foreach } // end if $pma_server_changed = false; if ($GLOBALS['cfg']['AllowArbitraryServer'] && isset($pma_auth_server) && !empty($pma_auth_server) && $cfg['Server']['host'] != $pma_auth_server) { $cfg['Server']['host'] = $pma_auth_server; $pma_server_changed = true; } $cfg['Server']['user'] = $PHP_AUTH_USER; $cfg['Server']['password'] = $PHP_AUTH_PW; // Name and password cookies needs to be refreshed each time // Duration = one month for username PMA_setCookie('pma_cookie_username-' . $server, PMA_blowfish_encrypt($cfg['Server']['user'] . ':' . $GLOBALS['current_time'], $GLOBALS['cfg']['blowfish_secret'])); // Duration = as configured PMA_setCookie('pma_cookie_password-' . $server, PMA_blowfish_encrypt(!empty($cfg['Server']['password']) ? $cfg['Server']['password'] : "******", $GLOBALS['cfg']['blowfish_secret'] . $GLOBALS['current_time']), null, $GLOBALS['cfg']['LoginCookieStore']); // Set server cookies if required (once per session) and, in this case, force // reload to ensure the client accepts cookies if (!$from_cookie) { if ($GLOBALS['cfg']['AllowArbitraryServer']) { if (isset($pma_auth_server) && !empty($pma_auth_server) && $pma_server_changed) { // Duration = one month for serverrname PMA_setCookie('pma_cookie_servername-' . $server, $cfg['Server']['host']); } else { // Delete servername cookie PMA_removeCookie('pma_cookie_servername-' . $server); } } // URL where to go: $redirect_url = $cfg['PmaAbsoluteUri'] . 'index.php'; // any parameters to pass? $url_params = array(); if (isset($GLOBALS['db']) && strlen($GLOBALS['db'])) { $url_params['db'] = $GLOBALS['db']; } if (isset($GLOBALS['table']) && strlen($GLOBALS['table'])) { $url_params['table'] = $GLOBALS['table']; } // Language change from the login panel needs to be remembered if (!empty($GLOBALS['lang'])) { $url_params['lang'] = $GLOBALS['lang']; } // any target to pass? if (!empty($GLOBALS['target']) && $GLOBALS['target'] != 'index.php') { $url_params['target'] = $GLOBALS['target']; } define('PMA_COMING_FROM_COOKIE_LOGIN', 1); PMA_sendHeaderLocation($redirect_url . PMA_generate_common_url($url_params, '&')); exit; } // end if return true; }
/** * Set the user and password after last checkings if required * * @global array the valid servers settings * @global integer the id of the current server * @global array the current server settings * @global string the current username * @global string the current password * @global boolean whether the login/password pair has been grabbed from * a cookie or not * * @return boolean always true * * @access public */ function PMA_auth_set_user() { global $cfg, $server; global $PHP_AUTH_USER, $PHP_AUTH_PW, $pma_auth_server; global $from_cookie; // Ensures valid authentication mode, 'only_db', bookmark database and // table names and relation table name are used if ($cfg['Server']['user'] != $PHP_AUTH_USER) { $servers_cnt = count($cfg['Servers']); for ($i = 1; $i <= $servers_cnt; $i++) { if (isset($cfg['Servers'][$i]) && ($cfg['Servers'][$i]['host'] == $cfg['Server']['host'] && $cfg['Servers'][$i]['user'] == $PHP_AUTH_USER)) { $server = $i; $cfg['Server'] = $cfg['Servers'][$i]; break; } } // end for } // end if $pma_server_changed = FALSE; if ($GLOBALS['cfg']['AllowArbitraryServer'] && isset($pma_auth_server) && !empty($pma_auth_server) && $cfg['Server']['host'] != $pma_auth_server) { $cfg['Server']['host'] = $pma_auth_server; $pma_server_changed = TRUE; } $cfg['Server']['user'] = $PHP_AUTH_USER; $cfg['Server']['password'] = $PHP_AUTH_PW; // Set cookies if required (once per session) and, in this case, force // reload to ensure the client accepts cookies if (!$from_cookie) { if ($GLOBALS['cfg']['AllowArbitraryServer']) { if (isset($pma_auth_server) && !empty($pma_auth_server) && $pma_server_changed) { // Duration = one month for serverrname setcookie('pma_cookie_servername', $cfg['Server']['host'], time() + 60 * 60 * 24 * 30, $GLOBALS['cookie_path'], '', $GLOBALS['is_https']); } else { // Delete servername cookie setcookie('pma_cookie_servername', '', 0, $GLOBALS['cookie_path'], '', $GLOBALS['is_https']); } } // Duration = one month for username setcookie('pma_cookie_username', $cfg['Server']['user'], time() + 60 * 60 * 24 * 30, $GLOBALS['cookie_path'], '', $GLOBALS['is_https']); // Duration = till the browser is closed for password // Some binary contents are now retrieved properly when stored // as a cookie, so we base64_encode() setcookie('pma_cookie_password', base64_encode(PMA_blowfish_encrypt(!empty($cfg['Server']['password']) ? $cfg['Server']['password'] : "******", $GLOBALS['cfg']['blowfish_secret'])), 0, $GLOBALS['cookie_path'], '', $GLOBALS['is_https']); // loic1: workaround against a IIS 5.0 bug if (empty($GLOBALS['SERVER_SOFTWARE'])) { if (isset($_SERVER) && !empty($_SERVER['SERVER_SOFTWARE'])) { $GLOBALS['SERVER_SOFTWARE'] = $_SERVER['SERVER_SOFTWARE']; } } // end if if (!empty($GLOBALS['SERVER_SOFTWARE']) && $GLOBALS['SERVER_SOFTWARE'] == 'Microsoft-IIS/5.0') { header('Refresh: 0; url=' . $cfg['PmaAbsoluteUri'] . 'index.php?' . PMA_generate_common_url('', '', '&')); } else { header('Location: ' . $cfg['PmaAbsoluteUri'] . 'index.php?' . PMA_generate_common_url('', '', '&')); } exit; } // end if return TRUE; }
/** * Set the user and password after last checkings if required * * @global array the valid servers settings * @global integer the id of the current server * @global array the current server settings * @global string the current username * @global string the current password * @global boolean whether the login/password pair has been grabbed from * a cookie or not * * @return boolean always true * * @access public */ function PMA_auth_set_user() { global $cfg, $server; global $PHP_AUTH_USER, $PHP_AUTH_PW, $pma_auth_server; global $from_cookie; // Ensures valid authentication mode, 'only_db', bookmark database and // table names and relation table name are used if ($cfg['Server']['user'] != $PHP_AUTH_USER) { $servers_cnt = count($cfg['Servers']); for ($i = 1; $i <= $servers_cnt; $i++) { if (isset($cfg['Servers'][$i]) && ($cfg['Servers'][$i]['host'] == $cfg['Server']['host'] && $cfg['Servers'][$i]['user'] == $PHP_AUTH_USER)) { $server = $i; $cfg['Server'] = $cfg['Servers'][$i]; break; } } // end for } // end if $pma_server_changed = FALSE; if ($GLOBALS['cfg']['AllowArbitraryServer'] && isset($pma_auth_server) && !empty($pma_auth_server) && $cfg['Server']['host'] != $pma_auth_server) { $cfg['Server']['host'] = $pma_auth_server; $pma_server_changed = TRUE; } $cfg['Server']['user'] = $PHP_AUTH_USER; $cfg['Server']['password'] = $PHP_AUTH_PW; // Name and password cookies needs to be refreshed each time // Duration = one month for username setcookie('pma_cookie_username-' . $server, PMA_blowfish_encrypt($cfg['Server']['user'] . ':' . $GLOBALS['current_time'], $GLOBALS['cfg']['blowfish_secret']), time() + 60 * 60 * 24 * 30, $GLOBALS['cookie_path'], '', $GLOBALS['is_https']); // Duration = till the browser is closed for password (we don't want this to be saved) setcookie('pma_cookie_password-' . $server, PMA_blowfish_encrypt(!empty($cfg['Server']['password']) ? $cfg['Server']['password'] : "******", $GLOBALS['cfg']['blowfish_secret'] . $GLOBALS['current_time']), 0, $GLOBALS['cookie_path'], '', $GLOBALS['is_https']); // Set server cookies if required (once per session) and, in this case, force // reload to ensure the client accepts cookies if (!$from_cookie) { if ($GLOBALS['cfg']['AllowArbitraryServer']) { if (isset($pma_auth_server) && !empty($pma_auth_server) && $pma_server_changed) { // Duration = one month for serverrname setcookie('pma_cookie_servername-' . $server, $cfg['Server']['host'], time() + 60 * 60 * 24 * 30, $GLOBALS['cookie_path'], '', $GLOBALS['is_https']); } else { // Delete servername cookie setcookie('pma_cookie_servername-' . $server, '', 0, $GLOBALS['cookie_path'], '', $GLOBALS['is_https']); } } // loic1: workaround against a IIS 5.0 bug // lem9: here, PMA_sendHeaderLocation() has not yet been defined, // so use the workaround if (empty($GLOBALS['SERVER_SOFTWARE'])) { if (isset($_SERVER) && !empty($_SERVER['SERVER_SOFTWARE'])) { $GLOBALS['SERVER_SOFTWARE'] = $_SERVER['SERVER_SOFTWARE']; } } // end if if (!empty($GLOBALS['SERVER_SOFTWARE']) && $GLOBALS['SERVER_SOFTWARE'] == 'Microsoft-IIS/5.0') { header('Refresh: 0; url=' . $cfg['PmaAbsoluteUri'] . 'index.php?' . PMA_generate_common_url(isset($GLOBALS['db']) ? $GLOBALS['db'] : '', isset($GLOBALS['table']) ? $GLOBALS['table'] : '', '&')); } else { header('Location: ' . $cfg['PmaAbsoluteUri'] . 'index.php?' . PMA_generate_common_url(isset($GLOBALS['db']) ? $GLOBALS['db'] : '', isset($GLOBALS['table']) ? $GLOBALS['table'] : '', '&') . '&' . SID); } exit; } // end if return TRUE; }
/** * Encrypt the given string with the cookie salt * * @param string $data * @return string */ public function encrypt($data) { if (function_exists('auth_encrypt')) { $data = auth_encrypt($data, auth_cookiesalt()); // since binky } else { $data = PMA_blowfish_encrypt($data, auth_cookiesalt()); // deprecated } return base64_encode($data); }
} } // end if // here $nopass could be == 1 if (empty($error_msg)) { // Defines the url to return to in case of error in the sql statement $common_url_query = PMA_generate_common_url(); $err_url = 'user_password.php?' . $common_url_query; $hashing_function = (PMA_MYSQL_INT_VERSION >= 40102 && !empty($pw_hash) && $pw_hash == 'old' ? 'OLD_' : '') . 'PASSWORD'; $sql_query = 'SET password = '******'' ? '\'\'' : $hashing_function . '(\'' . preg_replace('@.@s', '*', $pma_pw) . '\')'); $local_query = 'SET password = '******'' ? '\'\'' : $hashing_function . '(\'' . PMA_sqlAddslashes($pma_pw) . '\')'); $result = @PMA_DBI_try_query($local_query) or PMA_mysqlDie(PMA_DBI_getError(), $sql_query, FALSE, $err_url); // Changes password cookie if required // Duration = till the browser is closed for password (we don't want this to be saved) if ($cfg['Server']['auth_type'] == 'cookie') { PMA_setCookie('pma_cookie_password-' . $server, PMA_blowfish_encrypt($pma_pw, $GLOBALS['cfg']['blowfish_secret'] . $GLOBALS['current_time'])); } // end if // For http auth. mode, the "back" link will also enforce new // authentication $http_logout = $cfg['Server']['auth_type'] == 'http' ? '&old_usr=relog' : ''; // Displays the page require_once './libs/header.inc.php'; echo '<h1>' . $strChangePassword . '</h1>' . "\n\n"; $show_query = 'y'; PMA_showMessage($strUpdateProfileMessage); ?> <a href="index.php?<?php echo $common_url_query . $http_logout; ?> " target="_parent">
} } // end if // here $nopass could be == 1 if (empty($error_msg)) { // Defines the url to return to in case of error in the sql statement $common_url_query = PMA_generate_common_url(); $err_url = 'user_password.php?' . $common_url_query; $hashing_function = (PMA_MYSQL_INT_VERSION >= 40102 && !empty($pw_hash) && $pw_hash == 'old' ? 'OLD_' : '') . 'PASSWORD'; $sql_query = 'SET password = '******'' ? '\'\'' : $hashing_function . '(\'' . preg_replace('@.@s', '*', $pma_pw) . '\')'); $local_query = 'SET password = '******'' ? '\'\'' : $hashing_function . '(\'' . PMA_sqlAddslashes($pma_pw) . '\')'); $result = @PMA_DBI_try_query($local_query) or PMA_mysqlDie(PMA_DBI_getError(), $sql_query, FALSE, $err_url); // Changes password cookie if required // Duration = till the browser is closed for password (we don't want this to be saved) if ($cfg['Server']['auth_type'] == 'cookie') { setcookie('pma_cookie_password-' . $server, PMA_blowfish_encrypt($pma_pw, $GLOBALS['cfg']['blowfish_secret'] . $GLOBALS['current_time']), 0, $GLOBALS['cookie_path'], '', $GLOBALS['is_https']); } // end if // For http auth. mode, the "back" link will also enforce new // authentication $http_logout = $cfg['Server']['auth_type'] == 'http' ? '&old_usr=relog' : ''; // Displays the page require_once './header.inc.php'; echo '<h1>' . $strChangePassword . '</h1>' . "\n\n"; $show_query = 'y'; PMA_showMessage($strUpdateProfileMessage); ?> <a href="index.php?<?php echo $common_url_query . $http_logout; ?> " target="_parent">
/** * Change password authentication type * * @param array $_url_params * @param string $password * * @return array $_url_params */ function PMA_changePassAuthType($_url_params, $password) { /** * Changes password cookie if required * Duration = till the browser is closed for password (we don't want this to be saved) */ if ($GLOBALS['cfg']['Server']['auth_type'] == 'cookie') { $GLOBALS['PMA_Config']->setCookie('pmaPass-' . $server, PMA_blowfish_encrypt($password, $GLOBALS['cfg']['blowfish_secret'])); } /** * For http auth. mode, the "back" link will also enforce new * authentication */ if ($GLOBALS['cfg']['Server']['auth_type'] == 'http') { $_url_params['old_usr'] = '******'; } return $_url_params; }
if (empty($pma_pw) || empty($pma_pw2)) { $error_msg = $strPasswordEmpty; } } // end if // here $nopass could be == 1 if (empty($error_msg)) { // Defines the url to return to in case of error in the sql statement $common_url_query = PMA_generate_common_url(); $err_url = 'user_password.php?' . $common_url_query; $sql_query = 'SET password = '******'' ? '\'\'' : 'PASSWORD(\'' . preg_replace('@.@s', '*', $pma_pw) . '\')'); $local_query = 'SET password = '******'' ? '\'\'' : 'PASSWORD(\'' . PMA_sqlAddslashes($pma_pw) . '\')'); $result = @PMA_mysql_query($local_query) or PMA_mysqlDie('', '', FALSE, $err_url); // Changes password cookie if required if ($cfg['Server']['auth_type'] == 'cookie') { setcookie('pma_cookie_password', base64_encode(PMA_blowfish_encrypt($pma_pw, $GLOBALS['cfg']['blowfish_secret'])), 0, $cookie_path, '', $is_https); } // end if // For http auth. mode, the "back" link will also enforce new // authentication $http_logout = $cfg['Server']['auth_type'] == 'http' ? '&old_usr=relog' : ''; // Displays the page require_once './header.inc.php'; echo '<h1>' . $strChangePassword . '</h1>' . "\n\n"; $show_query = 'y'; PMA_showMessage($strUpdateProfileMessage); ?> <a href="index.php?<?php echo $common_url_query . $http_logout; ?> " target="_parent">
/** * This tries to login the user based on the sent auth credentials * * The authentication works like this: if a username was given * a new login is assumed and user/password are checked. If they * are correct the password is encrypted with blowfish and stored * together with the username in a cookie - the same info is stored * in the session, too. Additonally a browserID is stored in the * session. * * If no username was given the cookie is checked: if the username, * crypted password and browserID match between session and cookie * no further testing is done and the user is accepted * * If a cookie was found but no session info was availabe the * blowfish encrypted password from the cookie is decrypted and * together with username rechecked by calling this function again. * * On a successful login $_SERVER[REMOTE_USER] and $USERINFO * are set. * * @author Andreas Gohr <*****@*****.**> * * @param string $user Username * @param string $pass Cleartext Password * @param bool $sticky Cookie should not expire * @param bool $silent Don't show error on bad auth * @return bool true on successful auth */ function auth_login($user, $pass, $sticky = false, $silent = false) { global $USERINFO; global $conf; global $lang; global $auth; $sticky ? $sticky = true : ($sticky = false); //sanity check if (!empty($user)) { //usual login if ($auth->checkPass($user, $pass)) { // make logininfo globally available $_SERVER['REMOTE_USER'] = $user; $USERINFO = $auth->getUserData($user); // set cookie $pass = PMA_blowfish_encrypt($pass, auth_cookiesalt()); $cookie = base64_encode("{$user}|{$sticky}|{$pass}"); if ($sticky) { $time = time() + 60 * 60 * 24 * 365; } //one year setcookie(DOKU_COOKIE, $cookie, $time, DOKU_REL); // set session $_SESSION[DOKU_COOKIE]['auth']['user'] = $user; $_SESSION[DOKU_COOKIE]['auth']['pass'] = $pass; $_SESSION[DOKU_COOKIE]['auth']['buid'] = auth_browseruid(); $_SESSION[DOKU_COOKIE]['auth']['info'] = $USERINFO; $_SESSION[DOKU_COOKIE]['auth']['time'] = time(); return true; } else { //invalid credentials - log off if (!$silent) { msg($lang['badlogin'], -1); } auth_logoff(); return false; } } else { // read cookie information $cookie = base64_decode($_COOKIE[DOKU_COOKIE]); list($user, $sticky, $pass) = split('\\|', $cookie, 3); // get session info $session = $_SESSION[DOKU_COOKIE]['auth']; if ($user && $pass) { // we got a cookie - see if we can trust it if (isset($session) && $auth->useSessionCache($user) && $session['time'] >= time() - $conf['auth_security_timeout'] && $session['user'] == $user && $session['pass'] == $pass && $session['buid'] == auth_browseruid()) { // he has session, cookie and browser right - let him in $_SERVER['REMOTE_USER'] = $user; $USERINFO = $session['info']; //FIXME move all references to session return true; } // no we don't trust it yet - recheck pass but silent $pass = PMA_blowfish_decrypt($pass, auth_cookiesalt()); return auth_login($user, $pass, $sticky, true); } } //just to be sure auth_logoff(); return false; }
/** * Set the user and password after last checkings if required * * @global array the valid servers settings * @global integer the id of the current server * @global array the current server settings * @global string the current username * @global string the current password * @global boolean whether the login/password pair has been grabbed from * a cookie or not * * @return boolean always true * * @access public */ function PMA_auth_set_user() { global $cfg, $server; global $PHP_AUTH_USER, $PHP_AUTH_PW, $pma_auth_server; global $from_cookie; // Ensures valid authentication mode, 'only_db', bookmark database and // table names and relation table name are used if ($cfg['Server']['user'] != $PHP_AUTH_USER) { $servers_cnt = count($cfg['Servers']); for ($i = 1; $i <= $servers_cnt; $i++) { if (isset($cfg['Servers'][$i]) && ($cfg['Servers'][$i]['host'] == $cfg['Server']['host'] && $cfg['Servers'][$i]['user'] == $PHP_AUTH_USER)) { $server = $i; $cfg['Server'] = $cfg['Servers'][$i]; break; } } // end for } // end if $pma_server_changed = FALSE; if ($GLOBALS['cfg']['AllowArbitraryServer'] && isset($pma_auth_server) && !empty($pma_auth_server) && $cfg['Server']['host'] != $pma_auth_server) { $cfg['Server']['host'] = $pma_auth_server; $pma_server_changed = TRUE; } $cfg['Server']['user'] = $PHP_AUTH_USER; $cfg['Server']['password'] = $PHP_AUTH_PW; // Name and password cookies needs to be refreshed each time // Duration = one month for username setcookie('pma_cookie_username-' . $server, PMA_blowfish_encrypt($cfg['Server']['user'] . ':' . $GLOBALS['current_time'], $GLOBALS['cfg']['blowfish_secret']), time() + 60 * 60 * 24 * 30, $GLOBALS['cookie_path'], '', $GLOBALS['is_https']); // Duration = till the browser is closed for password (we don't want this to be saved) setcookie('pma_cookie_password-' . $server, PMA_blowfish_encrypt(!empty($cfg['Server']['password']) ? $cfg['Server']['password'] : "******", $GLOBALS['cfg']['blowfish_secret'] . $GLOBALS['current_time']), 0, $GLOBALS['cookie_path'], '', $GLOBALS['is_https']); // Set server cookies if required (once per session) and, in this case, force // reload to ensure the client accepts cookies if (!$from_cookie) { if ($GLOBALS['cfg']['AllowArbitraryServer']) { if (isset($pma_auth_server) && !empty($pma_auth_server) && $pma_server_changed) { // Duration = one month for serverrname setcookie('pma_cookie_servername-' . $server, $cfg['Server']['host'], time() + 60 * 60 * 24 * 30, $GLOBALS['cookie_path'], '', $GLOBALS['is_https']); } else { // Delete servername cookie setcookie('pma_cookie_servername-' . $server, '', 0, $GLOBALS['cookie_path'], '', $GLOBALS['is_https']); } } // URL where to go: $redirect_url = $cfg['PmaAbsoluteUri'] . 'index.php'; // any parameters to pass? $url_params = array(); if (isset($GLOBALS['db']) && strlen($GLOBALS['db'])) { $url_params['db'] = $GLOBALS['db']; } if (isset($GLOBALS['table']) && strlen($GLOBALS['table'])) { $url_params['table'] = $GLOBALS['table']; } // Language change from the login panel needs to be remembered if (!empty($GLOBALS['lang'])) { $url_params['lang'] = $GLOBALS['lang']; } // any target to pass? if (!empty($GLOBALS['target']) && $GLOBALS['target'] != 'index.php') { $url_params['target'] = $GLOBALS['target']; } PMA_sendHeaderLocation($redirect_url . PMA_generate_common_url($url_params, '&')); exit; } // end if return TRUE; }
if (!$_error) { // Defines the url to return to in case of error in the sql statement $_url_params = array(); $err_url = 'user_password.php' . PMA_generate_common_url($_url_params); if (PMA_isValid($_REQUEST['pw_hash'], 'identical', 'old')) { $hashing_function = 'OLD_PASSWORD'; } else { $hashing_function = 'PASSWORD'; } $sql_query = 'SET password = '******'' ? '\'\'' : $hashing_function . '(\'***\')'); $local_query = 'SET password = '******'' ? '\'\'' : $hashing_function . '(\'' . PMA_sqlAddslashes($password) . '\')'); $result = @PMA_DBI_try_query($local_query) or PMA_mysqlDie(PMA_DBI_getError(), $sql_query, false, $err_url); // Changes password cookie if required // Duration = till the browser is closed for password (we don't want this to be saved) if ($cfg['Server']['auth_type'] == 'cookie') { $GLOBALS['PMA_Config']->setCookie('pmaPass-' . $server, PMA_blowfish_encrypt($password, $GLOBALS['cfg']['blowfish_secret'])); } // end if // For http auth. mode, the "back" link will also enforce new // authentication if ($cfg['Server']['auth_type'] == 'http') { $_url_params['old_usr'] = '******'; } $message = PMA_Message::success(__('The profile has been updated.')); if ($GLOBALS['is_ajax_request'] == true) { $extra_data['sql_query'] = PMA_showMessage($message, $sql_query, 'success'); PMA_ajaxResponse($message, true, $extra_data); } // Displays the page require_once './libraries/header.inc.php'; echo '<h1>' . __('Change password') . '</h1>' . "\n\n";
private function authenticate($authUser, $authPass) { $auth = FALSE; if (strlen($authUser) && strlen($authPass)) { $filename = SERVER_ROOT . 'admin/conf/htpasswd'; $fd = fopen($filename, 'r'); if (!$fd) { return FALSE; } $all = trim(fread($fd, filesize($filename))); fclose($fd); $lines = explode("\n", $all); foreach ($lines as $line) { list($user, $pass) = explode(':', $line); if ($user == $authUser) { if ($pass[0] != '$') { $salt = substr($pass, 0, 2); } else { $salt = substr($pass, 0, 12); } $encypt = crypt($authPass, $salt); if ($pass == $encypt) { $auth = TRUE; break; } } } } if ($auth) { $temp = gettimeofday(); $start = (int) $temp['usec']; $secretKey0 = mt_rand() . $start . mt_rand(); $secretKey1 = mt_rand() . mt_rand() . $start; setcookie($this->_id_field, PMA_blowfish_encrypt($authUser, $secretKey0), 0, "/"); setcookie($this->_pass_field, PMA_blowfish_encrypt($authPass, $secretKey1), 0, "/"); $this->updateAccessTime(array($secretKey0, $secretKey1)); } else { $this->emailFailedLogin($authUser); } return $auth; }
/** * Set the user and password after last checkings if required * * @return boolean always true * * @access public */ function PMA_auth_set_user() { global $cfg; // Ensures valid authentication mode, 'only_db', bookmark database and // table names and relation table name are used if ($cfg['Server']['user'] != $GLOBALS['PHP_AUTH_USER']) { foreach ($cfg['Servers'] as $idx => $current) { if ($current['host'] == $cfg['Server']['host'] && $current['port'] == $cfg['Server']['port'] && $current['socket'] == $cfg['Server']['socket'] && $current['ssl'] == $cfg['Server']['ssl'] && $current['connect_type'] == $cfg['Server']['connect_type'] && $current['user'] == $GLOBALS['PHP_AUTH_USER']) { $GLOBALS['server'] = $idx; $cfg['Server'] = $current; break; } } // end foreach } // end if if ($GLOBALS['cfg']['AllowArbitraryServer'] && !empty($GLOBALS['pma_auth_server'])) { /* Allow to specify 'host port' */ $parts = explode(' ', $GLOBALS['pma_auth_server']); if (count($parts) == 2) { $tmp_host = $parts[0]; $tmp_port = $parts[1]; } else { $tmp_host = $GLOBALS['pma_auth_server']; $tmp_port = ''; } if ($cfg['Server']['host'] != $GLOBALS['pma_auth_server']) { $cfg['Server']['host'] = $tmp_host; if (!empty($tmp_port)) { $cfg['Server']['port'] = $tmp_port; } } unset($tmp_host, $tmp_port, $parts); } $cfg['Server']['user'] = $GLOBALS['PHP_AUTH_USER']; $cfg['Server']['password'] = $GLOBALS['PHP_AUTH_PW']; // Avoid showing the password in phpinfo()'s output unset($GLOBALS['PHP_AUTH_PW']); unset($_SERVER['PHP_AUTH_PW']); $_SESSION['last_access_time'] = time(); // Name and password cookies need to be refreshed each time // Duration = one month for username $GLOBALS['PMA_Config']->setCookie('pmaUser-' . $GLOBALS['server'], PMA_blowfish_encrypt($cfg['Server']['user'], PMA_get_blowfish_secret())); // Duration = as configured $GLOBALS['PMA_Config']->setCookie('pmaPass-' . $GLOBALS['server'], PMA_blowfish_encrypt(!empty($cfg['Server']['password']) ? $cfg['Server']['password'] : "******", PMA_get_blowfish_secret()), null, $GLOBALS['cfg']['LoginCookieStore']); // Set server cookies if required (once per session) and, in this case, force // reload to ensure the client accepts cookies if (!$GLOBALS['from_cookie']) { if ($GLOBALS['cfg']['AllowArbitraryServer']) { if (!empty($GLOBALS['pma_auth_server'])) { // Duration = one month for servername $GLOBALS['PMA_Config']->setCookie('pmaServer-' . $GLOBALS['server'], $cfg['Server']['host']); } else { // Delete servername cookie $GLOBALS['PMA_Config']->removeCookie('pmaServer-' . $GLOBALS['server']); } } // URL where to go: $redirect_url = $cfg['PmaAbsoluteUri'] . 'index.php'; // any parameters to pass? $url_params = array(); if (strlen($GLOBALS['db'])) { $url_params['db'] = $GLOBALS['db']; } if (strlen($GLOBALS['table'])) { $url_params['table'] = $GLOBALS['table']; } // any target to pass? if (!empty($GLOBALS['target']) && $GLOBALS['target'] != 'index.php') { $url_params['target'] = $GLOBALS['target']; } /** * whether we come from a fresh cookie login */ define('PMA_COMING_FROM_COOKIE_LOGIN', true); /** * Clear user cache. */ PMA_clearUserCache(); PMA_sendHeaderLocation($redirect_url . PMA_generate_common_url($url_params, '&')); exit; } // end if return true; }
if (PMA_isValid($_REQUEST['pw_hash'], 'identical', 'old')) { $hashing_function = 'OLD_PASSWORD'; } else { $hashing_function = 'PASSWORD'; } $sql_query = 'SET password = '******'') ? '\'\'' : $hashing_function . '(\'***\')'); $local_query = 'SET password = '******'') ? '\'\'' : $hashing_function . '(\'' . PMA_sqlAddSlashes($password) . '\')'); $result = @PMA_DBI_try_query($local_query) or PMA_mysqlDie(PMA_DBI_getError(), $sql_query, false, $err_url); // Changes password cookie if required // Duration = till the browser is closed for password (we don't want this to be saved) if ($cfg['Server']['auth_type'] == 'cookie') { $GLOBALS['PMA_Config']->setCookie('pmaPass-' . $server, PMA_blowfish_encrypt($password, $GLOBALS['cfg']['blowfish_secret'])); } // end if // For http auth. mode, the "back" link will also enforce new // authentication if ($cfg['Server']['auth_type'] == 'http') { $_url_params['old_usr'] = '******'; } $message = PMA_Message::success(__('The profile has been updated.')); if ($GLOBALS['is_ajax_request'] == true) { $extra_data['sql_query'] = PMA_showMessage($message, $sql_query, 'success'); PMA_ajaxResponse($message, true, $extra_data); }
/** * Update user profile * * @author Christopher Smith <*****@*****.**> */ function updateprofile() { global $conf; global $lang; /* @var auth_basic $auth */ global $auth; /* @var Input $INPUT */ global $INPUT; if (!$INPUT->post->bool('save')) { return false; } if (!checkSecurityToken()) { return false; } if (!actionOK('profile')) { msg($lang['profna'], -1); return false; } $changes = array(); $changes['pass'] = $INPUT->post->str('newpass'); $changes['name'] = $INPUT->post->str('fullname'); $changes['mail'] = $INPUT->post->str('email'); // check misspelled passwords if ($changes['pass'] != $INPUT->post->str('passchk')) { msg($lang['regbadpass'], -1); return false; } // clean fullname and email $changes['name'] = trim(preg_replace('/[\\x00-\\x1f:<>&%,;]+/', '', $changes['name'])); $changes['mail'] = trim(preg_replace('/[\\x00-\\x1f:<>&%,;]+/', '', $changes['mail'])); // no empty name and email (except the backend doesn't support them) if (empty($changes['name']) && $auth->canDo('modName') || empty($changes['mail']) && $auth->canDo('modMail')) { msg($lang['profnoempty'], -1); return false; } if (!mail_isvalid($changes['mail']) && $auth->canDo('modMail')) { msg($lang['regbadmail'], -1); return false; } $changes = array_filter($changes); // check for unavailable capabilities if (!$auth->canDo('modName')) { unset($changes['name']); } if (!$auth->canDo('modMail')) { unset($changes['mail']); } if (!$auth->canDo('modPass')) { unset($changes['pass']); } // anything to do? if (!count($changes)) { msg($lang['profnochange'], -1); return false; } if ($conf['profileconfirm']) { if (!$auth->checkPass($_SERVER['REMOTE_USER'], $INPUT->post->str('oldpass'))) { msg($lang['badlogin'], -1); return false; } } if ($result = $auth->triggerUserMod('modify', array($_SERVER['REMOTE_USER'], $changes))) { // update cookie and session with the changed data if ($changes['pass']) { list(, $sticky, ) = auth_getCookie(); $pass = PMA_blowfish_encrypt($changes['pass'], auth_cookiesalt(!$sticky)); auth_setCookie($_SERVER['REMOTE_USER'], $pass, (bool) $sticky); } return true; } return false; }
public function testEncryptDecryptBinary() { $secret = '$%ÄüfuDFRR'; $string = "this isbinary because ofzero bytes"; $this->assertEquals($string, PMA_blowfish_decrypt(PMA_blowfish_encrypt($string, $secret), $secret)); }