public function testEncryptDecryptChars()
{
$secret = '$%ÄüfuDFRR';
$string = 'abcDEF012!"§$%&/()=?`´"\',.;:-_#+*~öäüÖÄÜ^°²³';
$this->assertEquals(
$string,
PMA_blowfish_decrypt(PMA_blowfish_encrypt($string, $secret), $secret)
);
}
/**
* Returns the HTML to display the CAPTCHA with the chosen method
*/
public function getHTML()
{
global $ID;
$rand = (double) rand(0, 10000) / 10000;
if ($this->getConf('mode') == 'math') {
$code = $this->_generateMATH($this->_fixedIdent(), $rand);
$code = $code[0];
$text = $this->getLang('fillmath');
} elseif ($this->getConf('mode') == 'question') {
$text = $this->getConf('question');
} else {
$code = $this->_generateCAPTCHA($this->_fixedIdent(), $rand);
$text = $this->getLang('fillcaptcha');
}
$secret = PMA_blowfish_encrypt($rand, auth_cookiesalt());
$txtlen = $this->getConf('lettercount');
$out = '';
$out .= '<div id="plugin__captcha_wrapper">';
$out .= '<input type="hidden" name="' . $this->field_sec . '" value="' . hsc($secret) . '" />';
$out .= '<label for="plugin__captcha">' . $text . '</label> ';
switch ($this->getConf('mode')) {
case 'math':
case 'text':
$out .= $this->_obfuscateText($code);
break;
case 'js':
$out .= '<span id="plugin__captcha_code">' . $this->_obfuscateText($code) . '</span>';
break;
case 'image':
$out .= '<img src="' . DOKU_BASE . 'lib/plugins/captcha/img.php?secret=' . rawurlencode($secret) . '&id=' . $ID . '" ' . ' width="' . $this->getConf('width') . '" height="' . $this->getConf('height') . '" alt="" /> ';
break;
case 'audio':
$out .= '<img src="' . DOKU_BASE . 'lib/plugins/captcha/img.php?secret=' . rawurlencode($secret) . '&id=' . $ID . '" ' . ' width="' . $this->getConf('width') . '" height="' . $this->getConf('height') . '" alt="" /> ';
$out .= '<a href="' . DOKU_BASE . 'lib/plugins/captcha/wav.php?secret=' . rawurlencode($secret) . '&id=' . $ID . '"' . ' class="JSnocheck" title="' . $this->getLang('soundlink') . '">';
$out .= '<img src="' . DOKU_BASE . 'lib/plugins/captcha/sound.png" width="16" height="16"' . ' alt="' . $this->getLang('soundlink') . '" /></a>';
break;
case 'figlet':
require_once dirname(__FILE__) . '/figlet.php';
$figlet = new phpFiglet();
if ($figlet->loadfont(dirname(__FILE__) . '/figlet.flf')) {
$out .= '<pre>';
$out .= rtrim($figlet->fetch($code));
$out .= '</pre>';
} else {
msg('Failed to load figlet.flf font file. CAPTCHA broken', -1);
}
break;
}
$out .= ' <input type="text" size="' . $txtlen . '" name="' . $this->field_in . '" class="edit" /> ';
// add honeypot field
$out .= '<label class="no">' . $this->getLang('honeypot') . '<input type="text" name="' . $this->field_hp . '" /></label>';
$out .= '</div>';
return $out;
}
}
}
// end if
// here $nopass could be == 1
if (empty($error_msg)) {
// Defines the url to return to in case of error in the sql statement
$common_url_query = PMA_generate_common_url();
$err_url = 'user_password.php?' . $common_url_query;
$hashing_function = (PMA_MYSQL_INT_VERSION >= 40102 && !empty($pw_hash) && $pw_hash == 'old' ? 'OLD_' : '') . 'PASSWORD';
$sql_query = 'SET password = '******'' ? '\'\'' : $hashing_function . '(\'' . preg_replace('@.@s', '*', $pma_pw) . '\')');
$local_query = 'SET password = '******'' ? '\'\'' : $hashing_function . '(\'' . PMA_sqlAddslashes($pma_pw) . '\')');
$result = @PMA_DBI_try_query($local_query) or PMA_mysqlDie(PMA_DBI_getError(), $sql_query, FALSE, $err_url);
// Changes password cookie if required
// Duration = till the browser is closed for password (we don't want this to be saved)
if ($cfg['Server']['auth_type'] == 'cookie') {
PMA_setCookie('pmaPass-' . $server, PMA_blowfish_encrypt($pma_pw, $GLOBALS['cfg']['blowfish_secret']));
}
// end if
// For http auth. mode, the "back" link will also enforce new
// authentication
$http_logout = $cfg['Server']['auth_type'] == 'http' ? '&old_usr=relog' : '';
// Displays the page
require_once './libraries/header.inc.php';
echo '<h1>' . $strChangePassword . '</h1>' . "\n\n";
$show_query = 'y';
PMA_showMessage($strUpdateProfileMessage);
?>
<a href="index.php?<?php
echo $common_url_query . $http_logout;
?>
" target="_parent">
/**
* Update user profile
*
* @author Christopher Smith <*****@*****.**>
*/
function updateprofile()
{
global $conf;
global $INFO;
global $lang;
global $auth;
if (!$auth) {
return false;
}
if (empty($_POST['save'])) {
return false;
}
if (!checkSecurityToken()) {
return false;
}
// should not be able to get here without Profile being possible...
if (!$auth->canDo('Profile')) {
msg($lang['profna'], -1);
return false;
}
if ($_POST['newpass'] != $_POST['passchk']) {
msg($lang['regbadpass'], -1);
// complain about misspelled passwords
return false;
}
//clean fullname and email
$_POST['fullname'] = trim(preg_replace('/[\\x00-\\x1f:<>&%,;]+/', '', $_POST['fullname']));
$_POST['email'] = trim(preg_replace('/[\\x00-\\x1f:<>&%,;]+/', '', $_POST['email']));
if (empty($_POST['fullname']) && $auth->canDo('modName') || empty($_POST['email']) && $auth->canDo('modMail')) {
msg($lang['profnoempty'], -1);
return false;
}
if (!mail_isvalid($_POST['email']) && $auth->canDo('modMail')) {
msg($lang['regbadmail'], -1);
return false;
}
if ($_POST['fullname'] != $INFO['userinfo']['name'] && $auth->canDo('modName')) {
$changes['name'] = $_POST['fullname'];
}
if ($_POST['email'] != $INFO['userinfo']['mail'] && $auth->canDo('modMail')) {
$changes['mail'] = $_POST['email'];
}
if (!empty($_POST['newpass']) && $auth->canDo('modPass')) {
$changes['pass'] = $_POST['newpass'];
}
if (!count($changes)) {
msg($lang['profnochange'], -1);
return false;
}
if ($conf['profileconfirm']) {
if (!$auth->checkPass($_SERVER['REMOTE_USER'], $_POST['oldpass'])) {
msg($lang['badlogin'], -1);
return false;
}
}
if ($result = $auth->triggerUserMod('modify', array($_SERVER['REMOTE_USER'], $changes))) {
// update cookie and session with the changed data
$cookie = base64_decode($_COOKIE[DOKU_COOKIE]);
list($user, $sticky, $pass) = explode('|', $cookie, 3);
if ($changes['pass']) {
$pass = PMA_blowfish_encrypt($changes['pass'], auth_cookiesalt());
}
auth_setCookie($_SERVER['REMOTE_USER'], $pass, (bool) $sticky);
return true;
}
}
/**
* Set the user and password after last checkings if required
*
* @global array the valid servers settings
* @global integer the id of the current server
* @global array the current server settings
* @global string the current username
* @global string the current password
* @global boolean whether the login/password pair has been grabbed from
* a cookie or not
*
* @return boolean always true
*
* @access public
*/
function PMA_auth_set_user()
{
global $cfg, $server;
global $PHP_AUTH_USER, $PHP_AUTH_PW, $pma_auth_server;
global $from_cookie;
// Ensures valid authentication mode, 'only_db', bookmark database and
// table names and relation table name are used
if ($cfg['Server']['user'] != $PHP_AUTH_USER) {
foreach ($cfg['Servers'] as $idx => $current) {
if ($current['host'] == $cfg['Server']['host'] && $current['port'] == $cfg['Server']['port'] && $current['socket'] == $cfg['Server']['socket'] && $current['ssl'] == $cfg['Server']['ssl'] && $current['connect_type'] == $cfg['Server']['connect_type'] && $current['user'] == $PHP_AUTH_USER) {
$server = $idx;
$cfg['Server'] = $current;
break;
}
}
// end foreach
}
// end if
$pma_server_changed = false;
if ($GLOBALS['cfg']['AllowArbitraryServer'] && isset($pma_auth_server) && !empty($pma_auth_server) && $cfg['Server']['host'] != $pma_auth_server) {
$cfg['Server']['host'] = $pma_auth_server;
$pma_server_changed = true;
}
$cfg['Server']['user'] = $PHP_AUTH_USER;
$cfg['Server']['password'] = $PHP_AUTH_PW;
// Name and password cookies needs to be refreshed each time
// Duration = one month for username
PMA_setCookie('pma_cookie_username-' . $server, PMA_blowfish_encrypt($cfg['Server']['user'] . ':' . $GLOBALS['current_time'], $GLOBALS['cfg']['blowfish_secret']));
// Duration = as configured
PMA_setCookie('pma_cookie_password-' . $server, PMA_blowfish_encrypt(!empty($cfg['Server']['password']) ? $cfg['Server']['password'] : "******", $GLOBALS['cfg']['blowfish_secret'] . $GLOBALS['current_time']), null, $GLOBALS['cfg']['LoginCookieStore']);
// Set server cookies if required (once per session) and, in this case, force
// reload to ensure the client accepts cookies
if (!$from_cookie) {
if ($GLOBALS['cfg']['AllowArbitraryServer']) {
if (isset($pma_auth_server) && !empty($pma_auth_server) && $pma_server_changed) {
// Duration = one month for serverrname
PMA_setCookie('pma_cookie_servername-' . $server, $cfg['Server']['host']);
} else {
// Delete servername cookie
PMA_removeCookie('pma_cookie_servername-' . $server);
}
}
// URL where to go:
$redirect_url = $cfg['PmaAbsoluteUri'] . 'index.php';
// any parameters to pass?
$url_params = array();
if (isset($GLOBALS['db']) && strlen($GLOBALS['db'])) {
$url_params['db'] = $GLOBALS['db'];
}
if (isset($GLOBALS['table']) && strlen($GLOBALS['table'])) {
$url_params['table'] = $GLOBALS['table'];
}
// Language change from the login panel needs to be remembered
if (!empty($GLOBALS['lang'])) {
$url_params['lang'] = $GLOBALS['lang'];
}
// any target to pass?
if (!empty($GLOBALS['target']) && $GLOBALS['target'] != 'index.php') {
$url_params['target'] = $GLOBALS['target'];
}
define('PMA_COMING_FROM_COOKIE_LOGIN', 1);
PMA_sendHeaderLocation($redirect_url . PMA_generate_common_url($url_params, '&'));
exit;
}
// end if
return true;
}
/**
* Set the user and password after last checkings if required
*
* @global array the valid servers settings
* @global integer the id of the current server
* @global array the current server settings
* @global string the current username
* @global string the current password
* @global boolean whether the login/password pair has been grabbed from
* a cookie or not
*
* @return boolean always true
*
* @access public
*/
function PMA_auth_set_user()
{
global $cfg, $server;
global $PHP_AUTH_USER, $PHP_AUTH_PW, $pma_auth_server;
global $from_cookie;
// Ensures valid authentication mode, 'only_db', bookmark database and
// table names and relation table name are used
if ($cfg['Server']['user'] != $PHP_AUTH_USER) {
$servers_cnt = count($cfg['Servers']);
for ($i = 1; $i <= $servers_cnt; $i++) {
if (isset($cfg['Servers'][$i]) && ($cfg['Servers'][$i]['host'] == $cfg['Server']['host'] && $cfg['Servers'][$i]['user'] == $PHP_AUTH_USER)) {
$server = $i;
$cfg['Server'] = $cfg['Servers'][$i];
break;
}
}
// end for
}
// end if
$pma_server_changed = FALSE;
if ($GLOBALS['cfg']['AllowArbitraryServer'] && isset($pma_auth_server) && !empty($pma_auth_server) && $cfg['Server']['host'] != $pma_auth_server) {
$cfg['Server']['host'] = $pma_auth_server;
$pma_server_changed = TRUE;
}
$cfg['Server']['user'] = $PHP_AUTH_USER;
$cfg['Server']['password'] = $PHP_AUTH_PW;
// Set cookies if required (once per session) and, in this case, force
// reload to ensure the client accepts cookies
if (!$from_cookie) {
if ($GLOBALS['cfg']['AllowArbitraryServer']) {
if (isset($pma_auth_server) && !empty($pma_auth_server) && $pma_server_changed) {
// Duration = one month for serverrname
setcookie('pma_cookie_servername', $cfg['Server']['host'], time() + 60 * 60 * 24 * 30, $GLOBALS['cookie_path'], '', $GLOBALS['is_https']);
} else {
// Delete servername cookie
setcookie('pma_cookie_servername', '', 0, $GLOBALS['cookie_path'], '', $GLOBALS['is_https']);
}
}
// Duration = one month for username
setcookie('pma_cookie_username', $cfg['Server']['user'], time() + 60 * 60 * 24 * 30, $GLOBALS['cookie_path'], '', $GLOBALS['is_https']);
// Duration = till the browser is closed for password
// Some binary contents are now retrieved properly when stored
// as a cookie, so we base64_encode()
setcookie('pma_cookie_password', base64_encode(PMA_blowfish_encrypt(!empty($cfg['Server']['password']) ? $cfg['Server']['password'] : "******", $GLOBALS['cfg']['blowfish_secret'])), 0, $GLOBALS['cookie_path'], '', $GLOBALS['is_https']);
// loic1: workaround against a IIS 5.0 bug
if (empty($GLOBALS['SERVER_SOFTWARE'])) {
if (isset($_SERVER) && !empty($_SERVER['SERVER_SOFTWARE'])) {
$GLOBALS['SERVER_SOFTWARE'] = $_SERVER['SERVER_SOFTWARE'];
}
}
// end if
if (!empty($GLOBALS['SERVER_SOFTWARE']) && $GLOBALS['SERVER_SOFTWARE'] == 'Microsoft-IIS/5.0') {
header('Refresh: 0; url=' . $cfg['PmaAbsoluteUri'] . 'index.php?' . PMA_generate_common_url('', '', '&'));
} else {
header('Location: ' . $cfg['PmaAbsoluteUri'] . 'index.php?' . PMA_generate_common_url('', '', '&'));
}
exit;
}
// end if
return TRUE;
}
/**
* Set the user and password after last checkings if required
*
* @global array the valid servers settings
* @global integer the id of the current server
* @global array the current server settings
* @global string the current username
* @global string the current password
* @global boolean whether the login/password pair has been grabbed from
* a cookie or not
*
* @return boolean always true
*
* @access public
*/
function PMA_auth_set_user()
{
global $cfg, $server;
global $PHP_AUTH_USER, $PHP_AUTH_PW, $pma_auth_server;
global $from_cookie;
// Ensures valid authentication mode, 'only_db', bookmark database and
// table names and relation table name are used
if ($cfg['Server']['user'] != $PHP_AUTH_USER) {
$servers_cnt = count($cfg['Servers']);
for ($i = 1; $i <= $servers_cnt; $i++) {
if (isset($cfg['Servers'][$i]) && ($cfg['Servers'][$i]['host'] == $cfg['Server']['host'] && $cfg['Servers'][$i]['user'] == $PHP_AUTH_USER)) {
$server = $i;
$cfg['Server'] = $cfg['Servers'][$i];
break;
}
}
// end for
}
// end if
$pma_server_changed = FALSE;
if ($GLOBALS['cfg']['AllowArbitraryServer'] && isset($pma_auth_server) && !empty($pma_auth_server) && $cfg['Server']['host'] != $pma_auth_server) {
$cfg['Server']['host'] = $pma_auth_server;
$pma_server_changed = TRUE;
}
$cfg['Server']['user'] = $PHP_AUTH_USER;
$cfg['Server']['password'] = $PHP_AUTH_PW;
// Name and password cookies needs to be refreshed each time
// Duration = one month for username
setcookie('pma_cookie_username-' . $server, PMA_blowfish_encrypt($cfg['Server']['user'] . ':' . $GLOBALS['current_time'], $GLOBALS['cfg']['blowfish_secret']), time() + 60 * 60 * 24 * 30, $GLOBALS['cookie_path'], '', $GLOBALS['is_https']);
// Duration = till the browser is closed for password (we don't want this to be saved)
setcookie('pma_cookie_password-' . $server, PMA_blowfish_encrypt(!empty($cfg['Server']['password']) ? $cfg['Server']['password'] : "******", $GLOBALS['cfg']['blowfish_secret'] . $GLOBALS['current_time']), 0, $GLOBALS['cookie_path'], '', $GLOBALS['is_https']);
// Set server cookies if required (once per session) and, in this case, force
// reload to ensure the client accepts cookies
if (!$from_cookie) {
if ($GLOBALS['cfg']['AllowArbitraryServer']) {
if (isset($pma_auth_server) && !empty($pma_auth_server) && $pma_server_changed) {
// Duration = one month for serverrname
setcookie('pma_cookie_servername-' . $server, $cfg['Server']['host'], time() + 60 * 60 * 24 * 30, $GLOBALS['cookie_path'], '', $GLOBALS['is_https']);
} else {
// Delete servername cookie
setcookie('pma_cookie_servername-' . $server, '', 0, $GLOBALS['cookie_path'], '', $GLOBALS['is_https']);
}
}
// loic1: workaround against a IIS 5.0 bug
// lem9: here, PMA_sendHeaderLocation() has not yet been defined,
// so use the workaround
if (empty($GLOBALS['SERVER_SOFTWARE'])) {
if (isset($_SERVER) && !empty($_SERVER['SERVER_SOFTWARE'])) {
$GLOBALS['SERVER_SOFTWARE'] = $_SERVER['SERVER_SOFTWARE'];
}
}
// end if
if (!empty($GLOBALS['SERVER_SOFTWARE']) && $GLOBALS['SERVER_SOFTWARE'] == 'Microsoft-IIS/5.0') {
header('Refresh: 0; url=' . $cfg['PmaAbsoluteUri'] . 'index.php?' . PMA_generate_common_url(isset($GLOBALS['db']) ? $GLOBALS['db'] : '', isset($GLOBALS['table']) ? $GLOBALS['table'] : '', '&'));
} else {
header('Location: ' . $cfg['PmaAbsoluteUri'] . 'index.php?' . PMA_generate_common_url(isset($GLOBALS['db']) ? $GLOBALS['db'] : '', isset($GLOBALS['table']) ? $GLOBALS['table'] : '', '&') . '&' . SID);
}
exit;
}
// end if
return TRUE;
}
/**
* Encrypt the given string with the cookie salt
*
* @param string $data
* @return string
*/
public function encrypt($data)
{
if (function_exists('auth_encrypt')) {
$data = auth_encrypt($data, auth_cookiesalt());
// since binky
} else {
$data = PMA_blowfish_encrypt($data, auth_cookiesalt());
// deprecated
}
return base64_encode($data);
}
}
}
// end if
// here $nopass could be == 1
if (empty($error_msg)) {
// Defines the url to return to in case of error in the sql statement
$common_url_query = PMA_generate_common_url();
$err_url = 'user_password.php?' . $common_url_query;
$hashing_function = (PMA_MYSQL_INT_VERSION >= 40102 && !empty($pw_hash) && $pw_hash == 'old' ? 'OLD_' : '') . 'PASSWORD';
$sql_query = 'SET password = '******'' ? '\'\'' : $hashing_function . '(\'' . preg_replace('@.@s', '*', $pma_pw) . '\')');
$local_query = 'SET password = '******'' ? '\'\'' : $hashing_function . '(\'' . PMA_sqlAddslashes($pma_pw) . '\')');
$result = @PMA_DBI_try_query($local_query) or PMA_mysqlDie(PMA_DBI_getError(), $sql_query, FALSE, $err_url);
// Changes password cookie if required
// Duration = till the browser is closed for password (we don't want this to be saved)
if ($cfg['Server']['auth_type'] == 'cookie') {
PMA_setCookie('pma_cookie_password-' . $server, PMA_blowfish_encrypt($pma_pw, $GLOBALS['cfg']['blowfish_secret'] . $GLOBALS['current_time']));
}
// end if
// For http auth. mode, the "back" link will also enforce new
// authentication
$http_logout = $cfg['Server']['auth_type'] == 'http' ? '&old_usr=relog' : '';
// Displays the page
require_once './libs/header.inc.php';
echo '<h1>' . $strChangePassword . '</h1>' . "\n\n";
$show_query = 'y';
PMA_showMessage($strUpdateProfileMessage);
?>
<a href="index.php?<?php
echo $common_url_query . $http_logout;
?>
" target="_parent">
}
}
// end if
// here $nopass could be == 1
if (empty($error_msg)) {
// Defines the url to return to in case of error in the sql statement
$common_url_query = PMA_generate_common_url();
$err_url = 'user_password.php?' . $common_url_query;
$hashing_function = (PMA_MYSQL_INT_VERSION >= 40102 && !empty($pw_hash) && $pw_hash == 'old' ? 'OLD_' : '') . 'PASSWORD';
$sql_query = 'SET password = '******'' ? '\'\'' : $hashing_function . '(\'' . preg_replace('@.@s', '*', $pma_pw) . '\')');
$local_query = 'SET password = '******'' ? '\'\'' : $hashing_function . '(\'' . PMA_sqlAddslashes($pma_pw) . '\')');
$result = @PMA_DBI_try_query($local_query) or PMA_mysqlDie(PMA_DBI_getError(), $sql_query, FALSE, $err_url);
// Changes password cookie if required
// Duration = till the browser is closed for password (we don't want this to be saved)
if ($cfg['Server']['auth_type'] == 'cookie') {
setcookie('pma_cookie_password-' . $server, PMA_blowfish_encrypt($pma_pw, $GLOBALS['cfg']['blowfish_secret'] . $GLOBALS['current_time']), 0, $GLOBALS['cookie_path'], '', $GLOBALS['is_https']);
}
// end if
// For http auth. mode, the "back" link will also enforce new
// authentication
$http_logout = $cfg['Server']['auth_type'] == 'http' ? '&old_usr=relog' : '';
// Displays the page
require_once './header.inc.php';
echo '<h1>' . $strChangePassword . '</h1>' . "\n\n";
$show_query = 'y';
PMA_showMessage($strUpdateProfileMessage);
?>
<a href="index.php?<?php
echo $common_url_query . $http_logout;
?>
" target="_parent">
/**
* Change password authentication type
*
* @param array $_url_params
* @param string $password
*
* @return array $_url_params
*/
function PMA_changePassAuthType($_url_params, $password)
{
/**
* Changes password cookie if required
* Duration = till the browser is closed for password (we don't want this to be saved)
*/
if ($GLOBALS['cfg']['Server']['auth_type'] == 'cookie') {
$GLOBALS['PMA_Config']->setCookie('pmaPass-' . $server, PMA_blowfish_encrypt($password, $GLOBALS['cfg']['blowfish_secret']));
}
/**
* For http auth. mode, the "back" link will also enforce new
* authentication
*/
if ($GLOBALS['cfg']['Server']['auth_type'] == 'http') {
$_url_params['old_usr'] = '******';
}
return $_url_params;
}
if (empty($pma_pw) || empty($pma_pw2)) {
$error_msg = $strPasswordEmpty;
}
}
// end if
// here $nopass could be == 1
if (empty($error_msg)) {
// Defines the url to return to in case of error in the sql statement
$common_url_query = PMA_generate_common_url();
$err_url = 'user_password.php?' . $common_url_query;
$sql_query = 'SET password = '******'' ? '\'\'' : 'PASSWORD(\'' . preg_replace('@.@s', '*', $pma_pw) . '\')');
$local_query = 'SET password = '******'' ? '\'\'' : 'PASSWORD(\'' . PMA_sqlAddslashes($pma_pw) . '\')');
$result = @PMA_mysql_query($local_query) or PMA_mysqlDie('', '', FALSE, $err_url);
// Changes password cookie if required
if ($cfg['Server']['auth_type'] == 'cookie') {
setcookie('pma_cookie_password', base64_encode(PMA_blowfish_encrypt($pma_pw, $GLOBALS['cfg']['blowfish_secret'])), 0, $cookie_path, '', $is_https);
}
// end if
// For http auth. mode, the "back" link will also enforce new
// authentication
$http_logout = $cfg['Server']['auth_type'] == 'http' ? '&old_usr=relog' : '';
// Displays the page
require_once './header.inc.php';
echo '<h1>' . $strChangePassword . '</h1>' . "\n\n";
$show_query = 'y';
PMA_showMessage($strUpdateProfileMessage);
?>
<a href="index.php?<?php
echo $common_url_query . $http_logout;
?>
" target="_parent">
/**
* This tries to login the user based on the sent auth credentials
*
* The authentication works like this: if a username was given
* a new login is assumed and user/password are checked. If they
* are correct the password is encrypted with blowfish and stored
* together with the username in a cookie - the same info is stored
* in the session, too. Additonally a browserID is stored in the
* session.
*
* If no username was given the cookie is checked: if the username,
* crypted password and browserID match between session and cookie
* no further testing is done and the user is accepted
*
* If a cookie was found but no session info was availabe the
* blowfish encrypted password from the cookie is decrypted and
* together with username rechecked by calling this function again.
*
* On a successful login $_SERVER[REMOTE_USER] and $USERINFO
* are set.
*
* @author Andreas Gohr <*****@*****.**>
*
* @param string $user Username
* @param string $pass Cleartext Password
* @param bool $sticky Cookie should not expire
* @param bool $silent Don't show error on bad auth
* @return bool true on successful auth
*/
function auth_login($user, $pass, $sticky = false, $silent = false)
{
global $USERINFO;
global $conf;
global $lang;
global $auth;
$sticky ? $sticky = true : ($sticky = false);
//sanity check
if (!empty($user)) {
//usual login
if ($auth->checkPass($user, $pass)) {
// make logininfo globally available
$_SERVER['REMOTE_USER'] = $user;
$USERINFO = $auth->getUserData($user);
// set cookie
$pass = PMA_blowfish_encrypt($pass, auth_cookiesalt());
$cookie = base64_encode("{$user}|{$sticky}|{$pass}");
if ($sticky) {
$time = time() + 60 * 60 * 24 * 365;
}
//one year
setcookie(DOKU_COOKIE, $cookie, $time, DOKU_REL);
// set session
$_SESSION[DOKU_COOKIE]['auth']['user'] = $user;
$_SESSION[DOKU_COOKIE]['auth']['pass'] = $pass;
$_SESSION[DOKU_COOKIE]['auth']['buid'] = auth_browseruid();
$_SESSION[DOKU_COOKIE]['auth']['info'] = $USERINFO;
$_SESSION[DOKU_COOKIE]['auth']['time'] = time();
return true;
} else {
//invalid credentials - log off
if (!$silent) {
msg($lang['badlogin'], -1);
}
auth_logoff();
return false;
}
} else {
// read cookie information
$cookie = base64_decode($_COOKIE[DOKU_COOKIE]);
list($user, $sticky, $pass) = split('\\|', $cookie, 3);
// get session info
$session = $_SESSION[DOKU_COOKIE]['auth'];
if ($user && $pass) {
// we got a cookie - see if we can trust it
if (isset($session) && $auth->useSessionCache($user) && $session['time'] >= time() - $conf['auth_security_timeout'] && $session['user'] == $user && $session['pass'] == $pass && $session['buid'] == auth_browseruid()) {
// he has session, cookie and browser right - let him in
$_SERVER['REMOTE_USER'] = $user;
$USERINFO = $session['info'];
//FIXME move all references to session
return true;
}
// no we don't trust it yet - recheck pass but silent
$pass = PMA_blowfish_decrypt($pass, auth_cookiesalt());
return auth_login($user, $pass, $sticky, true);
}
}
//just to be sure
auth_logoff();
return false;
}
/**
* Set the user and password after last checkings if required
*
* @global array the valid servers settings
* @global integer the id of the current server
* @global array the current server settings
* @global string the current username
* @global string the current password
* @global boolean whether the login/password pair has been grabbed from
* a cookie or not
*
* @return boolean always true
*
* @access public
*/
function PMA_auth_set_user()
{
global $cfg, $server;
global $PHP_AUTH_USER, $PHP_AUTH_PW, $pma_auth_server;
global $from_cookie;
// Ensures valid authentication mode, 'only_db', bookmark database and
// table names and relation table name are used
if ($cfg['Server']['user'] != $PHP_AUTH_USER) {
$servers_cnt = count($cfg['Servers']);
for ($i = 1; $i <= $servers_cnt; $i++) {
if (isset($cfg['Servers'][$i]) && ($cfg['Servers'][$i]['host'] == $cfg['Server']['host'] && $cfg['Servers'][$i]['user'] == $PHP_AUTH_USER)) {
$server = $i;
$cfg['Server'] = $cfg['Servers'][$i];
break;
}
}
// end for
}
// end if
$pma_server_changed = FALSE;
if ($GLOBALS['cfg']['AllowArbitraryServer'] && isset($pma_auth_server) && !empty($pma_auth_server) && $cfg['Server']['host'] != $pma_auth_server) {
$cfg['Server']['host'] = $pma_auth_server;
$pma_server_changed = TRUE;
}
$cfg['Server']['user'] = $PHP_AUTH_USER;
$cfg['Server']['password'] = $PHP_AUTH_PW;
// Name and password cookies needs to be refreshed each time
// Duration = one month for username
setcookie('pma_cookie_username-' . $server, PMA_blowfish_encrypt($cfg['Server']['user'] . ':' . $GLOBALS['current_time'], $GLOBALS['cfg']['blowfish_secret']), time() + 60 * 60 * 24 * 30, $GLOBALS['cookie_path'], '', $GLOBALS['is_https']);
// Duration = till the browser is closed for password (we don't want this to be saved)
setcookie('pma_cookie_password-' . $server, PMA_blowfish_encrypt(!empty($cfg['Server']['password']) ? $cfg['Server']['password'] : "******", $GLOBALS['cfg']['blowfish_secret'] . $GLOBALS['current_time']), 0, $GLOBALS['cookie_path'], '', $GLOBALS['is_https']);
// Set server cookies if required (once per session) and, in this case, force
// reload to ensure the client accepts cookies
if (!$from_cookie) {
if ($GLOBALS['cfg']['AllowArbitraryServer']) {
if (isset($pma_auth_server) && !empty($pma_auth_server) && $pma_server_changed) {
// Duration = one month for serverrname
setcookie('pma_cookie_servername-' . $server, $cfg['Server']['host'], time() + 60 * 60 * 24 * 30, $GLOBALS['cookie_path'], '', $GLOBALS['is_https']);
} else {
// Delete servername cookie
setcookie('pma_cookie_servername-' . $server, '', 0, $GLOBALS['cookie_path'], '', $GLOBALS['is_https']);
}
}
// URL where to go:
$redirect_url = $cfg['PmaAbsoluteUri'] . 'index.php';
// any parameters to pass?
$url_params = array();
if (isset($GLOBALS['db']) && strlen($GLOBALS['db'])) {
$url_params['db'] = $GLOBALS['db'];
}
if (isset($GLOBALS['table']) && strlen($GLOBALS['table'])) {
$url_params['table'] = $GLOBALS['table'];
}
// Language change from the login panel needs to be remembered
if (!empty($GLOBALS['lang'])) {
$url_params['lang'] = $GLOBALS['lang'];
}
// any target to pass?
if (!empty($GLOBALS['target']) && $GLOBALS['target'] != 'index.php') {
$url_params['target'] = $GLOBALS['target'];
}
PMA_sendHeaderLocation($redirect_url . PMA_generate_common_url($url_params, '&'));
exit;
}
// end if
return TRUE;
}
if (!$_error) {
// Defines the url to return to in case of error in the sql statement
$_url_params = array();
$err_url = 'user_password.php' . PMA_generate_common_url($_url_params);
if (PMA_isValid($_REQUEST['pw_hash'], 'identical', 'old')) {
$hashing_function = 'OLD_PASSWORD';
} else {
$hashing_function = 'PASSWORD';
}
$sql_query = 'SET password = '******'' ? '\'\'' : $hashing_function . '(\'***\')');
$local_query = 'SET password = '******'' ? '\'\'' : $hashing_function . '(\'' . PMA_sqlAddslashes($password) . '\')');
$result = @PMA_DBI_try_query($local_query) or PMA_mysqlDie(PMA_DBI_getError(), $sql_query, false, $err_url);
// Changes password cookie if required
// Duration = till the browser is closed for password (we don't want this to be saved)
if ($cfg['Server']['auth_type'] == 'cookie') {
$GLOBALS['PMA_Config']->setCookie('pmaPass-' . $server, PMA_blowfish_encrypt($password, $GLOBALS['cfg']['blowfish_secret']));
}
// end if
// For http auth. mode, the "back" link will also enforce new
// authentication
if ($cfg['Server']['auth_type'] == 'http') {
$_url_params['old_usr'] = '******';
}
$message = PMA_Message::success(__('The profile has been updated.'));
if ($GLOBALS['is_ajax_request'] == true) {
$extra_data['sql_query'] = PMA_showMessage($message, $sql_query, 'success');
PMA_ajaxResponse($message, true, $extra_data);
}
// Displays the page
require_once './libraries/header.inc.php';
echo '<h1>' . __('Change password') . '</h1>' . "\n\n";
private function authenticate($authUser, $authPass)
{
$auth = FALSE;
if (strlen($authUser) && strlen($authPass)) {
$filename = SERVER_ROOT . 'admin/conf/htpasswd';
$fd = fopen($filename, 'r');
if (!$fd) {
return FALSE;
}
$all = trim(fread($fd, filesize($filename)));
fclose($fd);
$lines = explode("\n", $all);
foreach ($lines as $line) {
list($user, $pass) = explode(':', $line);
if ($user == $authUser) {
if ($pass[0] != '$') {
$salt = substr($pass, 0, 2);
} else {
$salt = substr($pass, 0, 12);
}
$encypt = crypt($authPass, $salt);
if ($pass == $encypt) {
$auth = TRUE;
break;
}
}
}
}
if ($auth) {
$temp = gettimeofday();
$start = (int) $temp['usec'];
$secretKey0 = mt_rand() . $start . mt_rand();
$secretKey1 = mt_rand() . mt_rand() . $start;
setcookie($this->_id_field, PMA_blowfish_encrypt($authUser, $secretKey0), 0, "/");
setcookie($this->_pass_field, PMA_blowfish_encrypt($authPass, $secretKey1), 0, "/");
$this->updateAccessTime(array($secretKey0, $secretKey1));
} else {
$this->emailFailedLogin($authUser);
}
return $auth;
}
/**
* Set the user and password after last checkings if required
*
* @return boolean always true
*
* @access public
*/
function PMA_auth_set_user()
{
global $cfg;
// Ensures valid authentication mode, 'only_db', bookmark database and
// table names and relation table name are used
if ($cfg['Server']['user'] != $GLOBALS['PHP_AUTH_USER']) {
foreach ($cfg['Servers'] as $idx => $current) {
if ($current['host'] == $cfg['Server']['host'] && $current['port'] == $cfg['Server']['port'] && $current['socket'] == $cfg['Server']['socket'] && $current['ssl'] == $cfg['Server']['ssl'] && $current['connect_type'] == $cfg['Server']['connect_type'] && $current['user'] == $GLOBALS['PHP_AUTH_USER']) {
$GLOBALS['server'] = $idx;
$cfg['Server'] = $current;
break;
}
}
// end foreach
}
// end if
if ($GLOBALS['cfg']['AllowArbitraryServer'] && !empty($GLOBALS['pma_auth_server'])) {
/* Allow to specify 'host port' */
$parts = explode(' ', $GLOBALS['pma_auth_server']);
if (count($parts) == 2) {
$tmp_host = $parts[0];
$tmp_port = $parts[1];
} else {
$tmp_host = $GLOBALS['pma_auth_server'];
$tmp_port = '';
}
if ($cfg['Server']['host'] != $GLOBALS['pma_auth_server']) {
$cfg['Server']['host'] = $tmp_host;
if (!empty($tmp_port)) {
$cfg['Server']['port'] = $tmp_port;
}
}
unset($tmp_host, $tmp_port, $parts);
}
$cfg['Server']['user'] = $GLOBALS['PHP_AUTH_USER'];
$cfg['Server']['password'] = $GLOBALS['PHP_AUTH_PW'];
// Avoid showing the password in phpinfo()'s output
unset($GLOBALS['PHP_AUTH_PW']);
unset($_SERVER['PHP_AUTH_PW']);
$_SESSION['last_access_time'] = time();
// Name and password cookies need to be refreshed each time
// Duration = one month for username
$GLOBALS['PMA_Config']->setCookie('pmaUser-' . $GLOBALS['server'], PMA_blowfish_encrypt($cfg['Server']['user'], PMA_get_blowfish_secret()));
// Duration = as configured
$GLOBALS['PMA_Config']->setCookie('pmaPass-' . $GLOBALS['server'], PMA_blowfish_encrypt(!empty($cfg['Server']['password']) ? $cfg['Server']['password'] : "******", PMA_get_blowfish_secret()), null, $GLOBALS['cfg']['LoginCookieStore']);
// Set server cookies if required (once per session) and, in this case, force
// reload to ensure the client accepts cookies
if (!$GLOBALS['from_cookie']) {
if ($GLOBALS['cfg']['AllowArbitraryServer']) {
if (!empty($GLOBALS['pma_auth_server'])) {
// Duration = one month for servername
$GLOBALS['PMA_Config']->setCookie('pmaServer-' . $GLOBALS['server'], $cfg['Server']['host']);
} else {
// Delete servername cookie
$GLOBALS['PMA_Config']->removeCookie('pmaServer-' . $GLOBALS['server']);
}
}
// URL where to go:
$redirect_url = $cfg['PmaAbsoluteUri'] . 'index.php';
// any parameters to pass?
$url_params = array();
if (strlen($GLOBALS['db'])) {
$url_params['db'] = $GLOBALS['db'];
}
if (strlen($GLOBALS['table'])) {
$url_params['table'] = $GLOBALS['table'];
}
// any target to pass?
if (!empty($GLOBALS['target']) && $GLOBALS['target'] != 'index.php') {
$url_params['target'] = $GLOBALS['target'];
}
/**
* whether we come from a fresh cookie login
*/
define('PMA_COMING_FROM_COOKIE_LOGIN', true);
/**
* Clear user cache.
*/
PMA_clearUserCache();
PMA_sendHeaderLocation($redirect_url . PMA_generate_common_url($url_params, '&'));
exit;
}
// end if
return true;
}
if (PMA_isValid($_REQUEST['pw_hash'], 'identical', 'old')) {
$hashing_function = 'OLD_PASSWORD';
} else {
$hashing_function = 'PASSWORD';
}
$sql_query = 'SET password = '******'') ? '\'\'' : $hashing_function . '(\'***\')');
$local_query = 'SET password = '******'') ? '\'\'' : $hashing_function . '(\'' . PMA_sqlAddSlashes($password) . '\')');
$result = @PMA_DBI_try_query($local_query)
or PMA_mysqlDie(PMA_DBI_getError(), $sql_query, false, $err_url);
// Changes password cookie if required
// Duration = till the browser is closed for password (we don't want this to be saved)
if ($cfg['Server']['auth_type'] == 'cookie') {
$GLOBALS['PMA_Config']->setCookie('pmaPass-' . $server,
PMA_blowfish_encrypt($password, $GLOBALS['cfg']['blowfish_secret']));
} // end if
// For http auth. mode, the "back" link will also enforce new
// authentication
if ($cfg['Server']['auth_type'] == 'http') {
$_url_params['old_usr'] = '******';
}
$message = PMA_Message::success(__('The profile has been updated.'));
if ($GLOBALS['is_ajax_request'] == true) {
$extra_data['sql_query'] = PMA_showMessage($message, $sql_query, 'success');
PMA_ajaxResponse($message, true, $extra_data);
}
/**
* Update user profile
*
* @author Christopher Smith <*****@*****.**>
*/
function updateprofile()
{
global $conf;
global $lang;
/* @var auth_basic $auth */
global $auth;
/* @var Input $INPUT */
global $INPUT;
if (!$INPUT->post->bool('save')) {
return false;
}
if (!checkSecurityToken()) {
return false;
}
if (!actionOK('profile')) {
msg($lang['profna'], -1);
return false;
}
$changes = array();
$changes['pass'] = $INPUT->post->str('newpass');
$changes['name'] = $INPUT->post->str('fullname');
$changes['mail'] = $INPUT->post->str('email');
// check misspelled passwords
if ($changes['pass'] != $INPUT->post->str('passchk')) {
msg($lang['regbadpass'], -1);
return false;
}
// clean fullname and email
$changes['name'] = trim(preg_replace('/[\\x00-\\x1f:<>&%,;]+/', '', $changes['name']));
$changes['mail'] = trim(preg_replace('/[\\x00-\\x1f:<>&%,;]+/', '', $changes['mail']));
// no empty name and email (except the backend doesn't support them)
if (empty($changes['name']) && $auth->canDo('modName') || empty($changes['mail']) && $auth->canDo('modMail')) {
msg($lang['profnoempty'], -1);
return false;
}
if (!mail_isvalid($changes['mail']) && $auth->canDo('modMail')) {
msg($lang['regbadmail'], -1);
return false;
}
$changes = array_filter($changes);
// check for unavailable capabilities
if (!$auth->canDo('modName')) {
unset($changes['name']);
}
if (!$auth->canDo('modMail')) {
unset($changes['mail']);
}
if (!$auth->canDo('modPass')) {
unset($changes['pass']);
}
// anything to do?
if (!count($changes)) {
msg($lang['profnochange'], -1);
return false;
}
if ($conf['profileconfirm']) {
if (!$auth->checkPass($_SERVER['REMOTE_USER'], $INPUT->post->str('oldpass'))) {
msg($lang['badlogin'], -1);
return false;
}
}
if ($result = $auth->triggerUserMod('modify', array($_SERVER['REMOTE_USER'], $changes))) {
// update cookie and session with the changed data
if ($changes['pass']) {
list(, $sticky, ) = auth_getCookie();
$pass = PMA_blowfish_encrypt($changes['pass'], auth_cookiesalt(!$sticky));
auth_setCookie($_SERVER['REMOTE_USER'], $pass, (bool) $sticky);
}
return true;
}
return false;
}
public function testEncryptDecryptBinary()
{
$secret = '$%ÄüfuDFRR';
$string = "this isbinary because ofzero bytes";
$this->assertEquals($string, PMA_blowfish_decrypt(PMA_blowfish_encrypt($string, $secret), $secret));
}
