Ignore:
Timestamp:
Aug 12, 2015 12:22:54 AM (9 years ago)
Author:
anonymous
Message:

v2.2.0-3: Fixed auth password hashing verification issues. Updated hyperlinkTxt() with option. Updated tests.

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/lib/Auth_SQL.inc.php

    r535 r541  
    627627            && !empty($_SESSION['_auth_sql'][$this->_ns]['username'])
    628628            && isset($_SESSION['_auth_sql'][$this->_ns]['login_datetime'])
    629             && strtotime($_SESSION['_auth_sql'][$this->_ns]['login_datetime']) > time() - $this->_params['login_timeout']
     629            && strtotime($_SESSION['_auth_sql'][$this->_ns]['login_datetime']) > (time() - $this->_params['login_timeout'])
    630630            && isset($_SESSION['_auth_sql'][$this->_ns]['last_access_datetime'])
    631             && strtotime($_SESSION['_auth_sql'][$this->_ns]['last_access_datetime']) > time() - $this->_params['idle_timeout']
     631            && strtotime($_SESSION['_auth_sql'][$this->_ns]['last_access_datetime']) > (time() - $this->_params['idle_timeout'])
    632632            && $remote_ip_is_matched
    633633        ) {
     
    650650        } else if (isset($_SESSION['_auth_sql'][$this->_ns]['authenticated']) && true === $_SESSION['_auth_sql'][$this->_ns]['authenticated']) {
    651651            // User is authenticated, but login has expired.
    652             if (strtotime($_SESSION['_auth_sql'][$this->_ns]['last_access_datetime']) > time() - 43200) {
     652            if (strtotime($_SESSION['_auth_sql'][$this->_ns]['last_access_datetime']) > (time() - 43200)) {
    653653                // Only raise message if last session is less than 12 hours old.
    654654                $app->raiseMsg(_("Your session has expired. You need to log-in again."), MSG_NOTICE, __FILE__, __LINE__);
     
    657657            // Log the reason for login expiration.
    658658            $expire_reasons = array();
    659             if (empty($_SESSION['_auth_sql'][$this->_ns]['username'])) {
     659            if (!isset($_SESSION['_auth_sql'][$this->_ns]['username']) || empty($_SESSION['_auth_sql'][$this->_ns]['username'])) {
    660660                $expire_reasons[] = 'username not found';
    661661            }
    662             if (strtotime($_SESSION['_auth_sql'][$this->_ns]['login_datetime']) <= time() - $this->_params['login_timeout']) {
     662            if (!isset($_SESSION['_auth_sql'][$this->_ns]['login_datetime']) || strtotime($_SESSION['_auth_sql'][$this->_ns]['login_datetime']) <= (time() - $this->_params['login_timeout'])) {
    663663                $expire_reasons[] = sprintf('login_timeout expired (%s older than %s seconds ago)', $_SESSION['_auth_sql'][$this->_ns]['login_datetime'], $this->_params['login_timeout']);
    664664            }
    665             if (strtotime($_SESSION['_auth_sql'][$this->_ns]['last_access_datetime']) <= time() - $this->_params['idle_timeout']) {
     665            if (!isset($_SESSION['_auth_sql'][$this->_ns]['last_access_datetime']) || strtotime($_SESSION['_auth_sql'][$this->_ns]['last_access_datetime']) <= (time() - $this->_params['idle_timeout'])) {
    666666                $expire_reasons[] = sprintf('idle_timeout expired (%s older than %s seconds ago)', $_SESSION['_auth_sql'][$this->_ns]['last_access_datetime'], $this->_params['idle_timeout']);
    667667            }
    668             if ($_SESSION['_auth_sql'][$this->_ns]['remote_ip'] != getRemoteAddr()) {
     668            if (!isset($_SESSION['_auth_sql'][$this->_ns]['remote_ip']) || $_SESSION['_auth_sql'][$this->_ns]['remote_ip'] != getRemoteAddr()) {
    669669                if ($this->getParam('match_remote_ip') && !$this->get('match_remote_ip_exempt') && !$user_in_trusted_network) {
    670670                    // There are three cases when a remote IP match will be the cause of a session termination:
     
    679679            $app->logMsg(sprintf('User_id %s (%s) session expired: %s', $this->get('user_id'), $this->get('username'), join(', ', $expire_reasons)), LOG_INFO, __FILE__, __LINE__);
    680680        } else {
    681             $app->logMsg('No authenticated token in _SESSION', LOG_DEBUG, __FILE__, __LINE__);
     681            $app->logMsg('Session is not authenticated', LOG_DEBUG, __FILE__, __LINE__);
    682682        }
    683683
     
    943943        switch ($hash_type) {
    944944        case self::ENCRYPT_CRYPT :
    945             return $this->encryptPassword($password, $encrypted_password) == $encrypted_password;
     945            return $this->encryptPassword($password, $encrypted_password, $hash_type) == $encrypted_password;
    946946
    947947        case self::ENCRYPT_PLAINTEXT :
     
    950950        case self::ENCRYPT_SHA1 :
    951951        case self::ENCRYPT_SHA1_HARDENED :
    952         default :
    953             return $this->encryptPassword($password) == $encrypted_password;
     952            return $this->encryptPassword($password, $encrypted_password, $hash_type) == $encrypted_password;
    954953
    955954        case self::ENCRYPT_PASSWORD_BCRYPT :
    956955        case self::ENCRYPT_PASSWORD_DEFAULT :
    957956            return password_verify($password, $encrypted_password);
    958         }
    959 
    960         $app->logMsg(sprintf('Unknown hash type: %s', $hash_type), LOG_WARNING, __FILE__, __LINE__);
    961         return false;
     957
     958        default :
     959            $app->logMsg(sprintf('Unknown hash type: %s', $hash_type), LOG_WARNING, __FILE__, __LINE__);
     960            return false;
     961        }
     962
    962963    }
    963964
Note: See TracChangeset for help on using the changeset viewer.