Changeset 124

Timestamp:

May 24, 2006 5:35:19 AM (18 years ago)

Author:

scdev

Message:

Q - Improved hashing algorithms in Auth_SQL, added more sc- css selectors, misc bug fixes

Files:

• branches/1.1dev/bin/module_maker/module.cli.php (modified) (1 diff)
• trunk/bin/module_maker/skel/adm_list.ihtml (modified) (1 diff)
• trunk/docs/revision_history.txt (modified) (2 diffs)
• trunk/lib/App.inc.php (modified) (1 diff)
• trunk/lib/Auth_SQL.inc.php (modified) (7 diffs)
• trunk/lib/PEdit.inc.php (modified) (1 diff)
• trunk/services/templates/admin_list.ihtml (modified) (2 diffs)
• trunk/services/templates/versions_diff.ihtml (modified) (1 diff)
• trunk/services/templates/versions_list.ihtml (modified) (1 diff)

branches/1.1dev/bin/module_maker/module.cli.php

@@ -422 +422 @@
         echo "Attempting to create user trash folder: $user_trash_folder/\n";
         mkdir($user_trash_folder);
-        chmod($user_trash_folder, 0777);
+        chmod($user_trash_folder, 0700);
     }
     if (!is_dir("$user_trash_folder") || !is_writable("$user_trash_folder")) {

trunk/bin/module_maker/skel/adm_list.ihtml

@@ -28 +28 @@
     <?php for ($i = 0; $i <= $page->last_item - $page->first_item && $page->total_items > 0; $i++) { ?>
     <tr>
-        <td class="padleft sc-nowrap"><a title="<?php printf(_("Edit %s"), oTxt($list[$i]['<##>'])) ?>" href="<?php echo App::oHREF($_SERVER['PHP_SELF'] . '?op=edit&%PRIMARY_KEY%=' . $list[$i]['%PRIMARY_KEY%']); ?>"><img src="/admin/_widgets/edit.gif" alt="Edit" width="14" height="18" border="0"></a> &nbsp;</td>
-        <td class="padleft sc-nowrap"><a title="<?php printf(_("Versions of %s"), oTxt($list[$i]['<##>'])) ?>" href="<?php echo App::oHREF('/admin/versions.php?record_table=%DB_TBL%&record_key=%PRIMARY_KEY%&boomerang=true&record_val=' . $list[$i]['%PRIMARY_KEY%']); ?>"><img src="/admin/_widgets/subcategory.gif" alt="" width="18" height="14" border="0" /></a> &nbsp;</td>
+        <td class="sc-padleft sc-nowrap"><a title="<?php printf(_("Edit %s"), oTxt($list[$i]['<##>'])) ?>" href="<?php echo App::oHREF($_SERVER['PHP_SELF'] . '?op=edit&%PRIMARY_KEY%=' . $list[$i]['%PRIMARY_KEY%']); ?>"><img src="/admin/_widgets/edit.gif" alt="Edit" width="14" height="18" border="0"></a> &nbsp;</td>
+        <td class="sc-padleft sc-nowrap"><a title="<?php printf(_("Versions of %s"), oTxt($list[$i]['<##>'])) ?>" href="<?php echo App::oHREF('/admin/versions.php?record_table=%DB_TBL%&record_key=%PRIMARY_KEY%&boomerang=true&record_val=' . $list[$i]['%PRIMARY_KEY%']); ?>"><img src="/admin/_widgets/subcategory.gif" alt="" width="18" height="14" border="0" /></a> &nbsp;</td>
 %ADM_LIST_ROWS%
-        <td class="padleft sc-nowrap" align="right"><a title="<?php printf(_("Delete %s"), oTxt($list[$i]['<##>'])) ?>" href="<?php echo App::oHREF($_SERVER['PHP_SELF'] . "?op=del&%PRIMARY_KEY%=" . $list[$i]['%PRIMARY_KEY%']); ?>" onClick="javascript:return confirm('<?php printf(_("Are you sure you want to delete the record %s? This action is permanent and cannot be undone."), oTxt($list[$i]['<##>'])) ?>')"><img src="/admin/_widgets/delete.gif" alt="Delete" width="16" height="17" border="0"></a> &nbsp;</td>
+        <td class="sc-padleft sc-nowrap" align="right"><a title="<?php printf(_("Delete %s"), oTxt($list[$i]['<##>'])) ?>" href="<?php echo App::oHREF($_SERVER['PHP_SELF'] . "?op=del&%PRIMARY_KEY%=" . $list[$i]['%PRIMARY_KEY%']); ?>" onClick="javascript:return confirm('<?php printf(_("Are you sure you want to delete the record %s? This action is permanent and cannot be undone."), oTxt($list[$i]['<##>'])) ?>')"><img src="/admin/_widgets/delete.gif" alt="Delete" width="16" height="17" border="0"></a> &nbsp;</td>
     </tr>
     <?php } ?>

trunk/docs/revision_history.txt

@@ -1 @@
---------------------------------------------------------------------------------
+---------------------------------------------------------------------
+Strangecode codebase 2.1
+---------------------------------------------------------------------
+
+css/utilities.inc.php and css/codebase.inc.php now have sc- prepended to all selectors. This regex will convert an existing site to the new sc- format:
+s/class="([\w-]+ )*(tiny|small|medium|large|full|twolines|short|tall|fullscreen|nowrap|clearboth|center|right|padright|padleft|padleft|help|monospaced|pkg)( [\w-]+)*"/class="$1sc-$2$3"/gi
+
+
+
+---------------------------------------------------------------------
 Strangecode codebase 2.0
---------------------------------------------------------------------------------
+---------------------------------------------------------------------
 
 Codebase self contained. runs without reference to external files or info.
@@ -69 +78 @@
 
 
---------------------------------------------------------------------------------
+---------------------------------------------------------------------
 Strangecode codebase 1.0.0 release
---------------------------------------------------------------------------------
+---------------------------------------------------------------------
 
 This is the primary stable release used before we started using Subversion. It was maintained erratically by one erratic person. No revision info documented, sorry.

trunk/lib/App.inc.php

@@ -1107 +1107 @@
     function sslOff()
     {
+        if (!isset($this) || !is_a($this, 'App') && !is_subclass_of($this, 'App')) {
+            $this =& App::getInstance();
+        }
+
         if ('' != getenv('HTTPS')) {
             $this->dieURL('http://' . getenv('HTTP_HOST') . getenv('REQUEST_URI'), null, true);

trunk/lib/Auth_SQL.inc.php

@@ -4 +4 @@
  *
  * @author  Quinn Comendant <quinn@strangecode.com>
- * @version 2.0
+ * @version 2.1
  */
 
 // Available encryption types for class Auth_SQL.
-define('AUTH_ENCRYPT_MD5', 'md5');
-define('AUTH_ENCRYPT_CRYPT', 'crypt');
-define('AUTH_ENCRYPT_SHA1', 'sha1');
-define('AUTH_ENCRYPT_PLAINTEXT', 'plaintext');
+define('AUTH_ENCRYPT_MD5', 1);
+define('AUTH_ENCRYPT_CRYPT', 2);
+define('AUTH_ENCRYPT_SHA1', 3);
+define('AUTH_ENCRYPT_PLAINTEXT', 4);
 
 require_once dirname(__FILE__) . '/Email.inc.php';
@@ -41 +41 @@
 
         // The type of encryption to use for passwords stored in the db_table. Use one of the AUTH_ENCRYPT_* types specified above.
-        'encryption_type' => AUTH_ENCRYPT_MD5,
+        'encryption_type' => AUTH_ENCRYPT_SHA1,
 
         // The URL to the login script.
@@ -47 +47 @@
 
         // The maximum amount of time a user is allowed to be logged in. They will be forced to login again if they expire.
-        // This applies to admins and users. In seconds. 21600 seconds = 6 hours.
+        // In seconds. 21600 seconds = 6 hours.
         'login_timeout' => 21600,
 
         // The maximum amount of time a user is allowed to be idle before their session expires. They will be forced to login again if they expire.
-        // This applies to admins and users. In seconds. 3600 seconds = 1 hour.
+        // In seconds. 3600 seconds = 1 hour.
         'idle_timeout' => 3600,
 
@@ -300 +300 @@
         $this->initDB();
 
-        // Query DB for user matching credentials.
-        // FIXME: Cannot compare crypt style passwords this way.
-        $qid = DB::query("
-            SELECT *, " . $this->_params['db_primary_key'] . " AS user_id
-            FROM " . $this->_params['db_table'] . "
-            WHERE " . $this->_params['db_username_column'] . " = '" . DB::escapeString($username) . "'
-            AND BINARY userpass = '" . DB::escapeString($this->encryptPassword($password)) . "'
-        ");
+        switch ($this->_params['encryption_type']) {
+        case AUTH_ENCRYPT_CRYPT :
+            // Query DB for user matching credentials. Compare cyphertext with salted-encrypted password.
+            $qid = DB::query("
+                SELECT *, " . $this->_params['db_primary_key'] . " AS user_id
+                FROM " . $this->_params['db_table'] . "
+                WHERE " . $this->_params['db_username_column'] . " = '" . DB::escapeString($username) . "'
+                AND BINARY userpass = ENCRYPT('" . DB::escapeString($password) . "', LEFT(userpass, 2)))
+            ");
+            break;
+        case AUTH_ENCRYPT_PLAINTEXT :
+        case AUTH_ENCRYPT_MD5 :
+        case AUTH_ENCRYPT_SHA1 :
+        default :
+            // Query DB for user matching credentials. Directly compare cyphertext with result from encryptPassword().
+            $qid = DB::query("
+                SELECT *, " . $this->_params['db_primary_key'] . " AS user_id
+                FROM " . $this->_params['db_table'] . "
+                WHERE " . $this->_params['db_username_column'] . " = '" . DB::escapeString($username) . "'
+                AND BINARY userpass = '" . DB::escapeString($this->encryptPassword($password)) . "'
+            ");
+            break;
+        }
 
         // Return user data if found.
@@ -665 +680 @@
     function generatePassword($pattern='CvccvCdd')
     {
-        mt_srand((double) microtime() * 10000000);
         $str = '';
         for ($i=0; $i<strlen($pattern); $i++) {
@@ -682 +696 @@
      *
      */
-    function encryptPassword($password)
+    function encryptPassword($password, $salt=null)
     {
         switch ($this->_params['encryption_type']) {
@@ -690 +704 @@
 
         case AUTH_ENCRYPT_CRYPT :
-            return crypt($password);
+            // If comparing plaintext password with a hash, provide first two chars of the hash as the salt.
+            return isset($salt) ? crypt($password, substr($salt, 0, 2)) : crypt($password);
             break;
 
         case AUTH_ENCRYPT_SHA1 :
-            return sha1($password);
+            return sha1(App::getParam('signing_key') . sha1($password));
             break;
 
         case AUTH_ENCRYPT_MD5 :
         default :
-            return md5($password);
+            return md5(App::getParam('signing_key') . md5($password));
             break;
         }

trunk/lib/PEdit.inc.php

@@ -276 +276 @@
                 ?>
                 <label><?php echo ucfirst(str_replace('_', ' ', $name)); ?></label>
-                <textarea name="_pedit_data[<?php echo $name; ?>]" id="sc-pedit-field-<?php echo $name; ?>" rows="" cols="" class="full sc-tall"><?php echo oTxt($this->_data[$name]['content']); ?></textarea>
+                <textarea name="_pedit_data[<?php echo $name; ?>]" id="sc-pedit-field-<?php echo $name; ?>" rows="" cols="" class="sc-full sc-tall"><?php echo oTxt($this->_data[$name]['content']); ?></textarea>
                 <?php
                 break;

trunk/services/templates/admin_list.ihtml

@@ -31 +31 @@
     <?php for ($i = 0; $i <= $page->last_item - $page->first_item && $page->total_items > 0; $i++) { ?>
     <tr>
-        <td class="padleft sc-nowrap"><a title="<?php printf(_("Edit %s"), oTxt($list[$i]['username'])) ?>" href="<?php echo App::oHREF($_SERVER['PHP_SELF'] . '?op=edit&admin_id=' . $list[$i]['admin_id']); ?>"><img src="/admin/_widgets/edit.gif" alt="Edit" width="14" height="18" border="0"></a> &nbsp;</td>
-        <td class="padleft sc-nowrap"><a title="<?php printf(_("Versions of %s"), oTxt($list[$i]['username'])) ?>" href="<?php echo App::oHREF('/admin/versions.php?record_table=admin_tbl&record_key=admin_id&boomerang=true&record_val=' . $list[$i]['admin_id']); ?>"><img src="/admin/_widgets/subcategory.gif" alt="" width="18" height="14" border="0" /></a> &nbsp;</td>
+        <td class="sc-padleft sc-nowrap"><a title="<?php printf(_("Edit %s"), oTxt($list[$i]['username'])) ?>" href="<?php echo App::oHREF($_SERVER['PHP_SELF'] . '?op=edit&admin_id=' . $list[$i]['admin_id']); ?>"><img src="/admin/_widgets/edit.gif" alt="Edit" width="14" height="18" border="0"></a> &nbsp;</td>
+        <td class="sc-padleft sc-nowrap"><a title="<?php printf(_("Versions of %s"), oTxt($list[$i]['username'])) ?>" href="<?php echo App::oHREF('/admin/versions.php?record_table=admin_tbl&record_key=admin_id&boomerang=true&record_val=' . $list[$i]['admin_id']); ?>"><img src="/admin/_widgets/subcategory.gif" alt="" width="18" height="14" border="0" /></a> &nbsp;</td>
         <td class="sc-nowrap"><?php echo oTxt($list[$i]['admin_id'], true); ?> &nbsp;</td>
         <td class="sc-nowrap"><?php echo oTxt($list[$i]['username'], true); ?> &nbsp;</td>
@@ -49 +49 @@
         <td class="sc-nowrap"><?php echo oTxt($list[$i]['added_admin_username'], true); ?> &nbsp;</td>
         <td class="sc-nowrap"><?php echo '0000-00-00 00:00:00' == $list[$i]['modified_datetime'] ? '' : date(App::getParam('date_format'), strtotime($list[$i]['modified_datetime'])); ?> &nbsp;</td>
-        <td class="padleft sc-nowrap" align="right"><a title="<?php printf(_("Delete %s"), oTxt($list[$i]['username'])) ?>" href="<?php echo App::oHREF($_SERVER['PHP_SELF'] . "?op=del&admin_id=" . $list[$i]['admin_id']); ?>" onClick="javascript:return confirm('<?php printf(_("Are you sure you want to delete the record %s? This action is permanent and cannot be undone."), oTxt($list[$i]['username'])) ?>')"><img src="/admin/_widgets/delete.gif" alt="Delete" width="16" height="17" border="0"></a> &nbsp;</td>
+        <td class="sc-padleft sc-nowrap" align="right"><a title="<?php printf(_("Delete %s"), oTxt($list[$i]['username'])) ?>" href="<?php echo App::oHREF($_SERVER['PHP_SELF'] . "?op=del&admin_id=" . $list[$i]['admin_id']); ?>" onClick="javascript:return confirm('<?php printf(_("Are you sure you want to delete the record %s? This action is permanent and cannot be undone."), oTxt($list[$i]['username'])) ?>')"><img src="/admin/_widgets/delete.gif" alt="Delete" width="16" height="17" border="0"></a> &nbsp;</td>
     </tr>
     <?php } ?>

trunk/services/templates/versions_diff.ihtml

@@ -20 +20 @@
     ?>
     <tr>
-        <td class="padleft sc-nowrap"<?php echo $style; ?>><label><?php echo $k; ?></label></td>
+        <td class="sc-padleft sc-nowrap"<?php echo $style; ?>><label><?php echo $k; ?></label></td>
         <td class="sc-padleft"><?php echo $v_d; ?></td>
         <td class="sc-padleft"><?php echo $v_c; ?></td>

trunk/services/templates/versions_list.ihtml

@@ -14 +14 @@
 <tr>
     <?php if ($first) { ?>
-    <td class="padleft sc-nowrap">[<a href="<?php echo App::oHREF($_SERVER['PHP_SELF'] . '?op=view&current=true&version_id=' . $v['version_id']); ?>">view</a>]</td>
-    <td class="padleft sc-nowrap" colspan="2">(<?php echo _("Current record"); ?>)</td>
+    <td class="sc-padleft sc-nowrap">[<a href="<?php echo App::oHREF($_SERVER['PHP_SELF'] . '?op=view&current=true&version_id=' . $v['version_id']); ?>">view</a>]</td>
+    <td class="sc-padleft sc-nowrap" colspan="2">(<?php echo _("Current record"); ?>)</td>
     <?php } else { ?>
-    <td class="padleft sc-nowrap">[<a href="<?php echo App::oHREF($_SERVER['PHP_SELF'] . '?op=view&version_id=' . $v['version_id']); ?>">view</a>]</td>
-    <td class="padleft sc-nowrap">[<a href="<?php echo App::oHREF($_SERVER['PHP_SELF'] . '?op=diff&version_id=' . $v['version_id']); ?>">diff</a>]</td>
-    <td class="padleft sc-nowrap">[<a href="<?php echo App::oHREF($_SERVER['PHP_SELF'] . '?op=restore&version_id=' . $v['version_id']); ?>">restore</a>]</td>
+    <td class="sc-padleft sc-nowrap">[<a href="<?php echo App::oHREF($_SERVER['PHP_SELF'] . '?op=view&version_id=' . $v['version_id']); ?>">view</a>]</td>
+    <td class="sc-padleft sc-nowrap">[<a href="<?php echo App::oHREF($_SERVER['PHP_SELF'] . '?op=diff&version_id=' . $v['version_id']); ?>">diff</a>]</td>
+    <td class="sc-padleft sc-nowrap">[<a href="<?php echo App::oHREF($_SERVER['PHP_SELF'] . '?op=restore&version_id=' . $v['version_id']); ?>">restore</a>]</td>
     <?php } ?>
-    <td class="padleft sc-nowrap"><?php echo $v['version_id']; ?></td>
-    <td class="padleft sc-nowrap"><?php echo date('d M Y H:i:s', strtotime($v['version_datetime'])); ?></td>
-    <td class="padleft sc-nowrap"><?php echo $v['editor']; ?></td>
+    <td class="sc-padleft sc-nowrap"><?php echo $v['version_id']; ?></td>
+    <td class="sc-padleft sc-nowrap"><?php echo date('d M Y H:i:s', strtotime($v['version_datetime'])); ?></td>
+    <td class="sc-padleft sc-nowrap"><?php echo $v['editor']; ?></td>
 </tr>
 <?php