Changeset 570 for branches/1.1dev
- Timestamp:
- Nov 4, 2016 8:37:17 PM (8 years ago)
- Location:
- branches/1.1dev
- Files:
-
- 2 edited
Legend:
- Unmodified
- Added
- Removed
-
branches/1.1dev/config/defaults.inc.php
r566 r570 58 58 // General error log for the applications. 59 59 setDefault($CFG->log_filename, 'app_error_log'); 60 61 60 62 61 /****************************************************************************** … … 150 149 *****************************************************************************/ 151 150 151 setDefault($CFG->site_email, ''); 152 153 setDefault($CFG->site_url, sprintf('%s://%s', ('on' == getenv('HTTPS') ? 'https' : 'http'), getenv('HTTP_HOST'))); 154 setDefault($CFG->admin_url, sprintf('%s/admin/', $CFG->site_url)); 155 152 156 // Used as the fifth parameter to mail() to set the return address for sent messages. Requires safe_mode off. 153 157 setDefault($CFG->envelope_sender_address, "-f $CFG->site_email"); … … 168 172 setDefault($CFG->mysql_date_format, '%e %b %Y'); 169 173 setDefault($CFG->mysql_time_format, '%k:%i'); 170 171 172 ?> -
branches/1.1dev/lib/AuthSQL.inc.php
r205 r570 23 23 { 24 24 global $CFG; 25 25 26 26 // The name of this auth session. 27 27 $this->_params['auth_name'] = isset($params['auth_name']) ? $params['auth_name'] : ''; 28 28 29 29 // The database table containing users to authenticate. 30 30 $this->_params['user_tbl'] = isset($params['user_tbl']) ? $params['user_tbl'] : 'user_tbl'; 31 31 32 32 // The name of the primary key for the user_tbl. 33 33 $this->_params['user_id_column'] = isset($params['user_id_column']) ? $params['user_id_column'] : 'user_id'; 34 34 35 35 // The name of the username key for the user_tbl. 36 36 $this->_params['username_column'] = isset($params['username_column']) ? $params['username_column'] : 'username'; 37 37 38 38 // If using the login_tbl feature, specify the login_tbl. The primary key must match the primary key for the user_tbl. 39 39 $this->_params['login_tbl'] = isset($params['login_tbl']) ? $params['login_tbl'] : 'login_tbl'; 40 40 41 41 // The type of encryption to use for passwords stored in the user_tbl. Use 'md5' or 'crypt'. 42 42 $this->_params['encryption_type'] = isset($params['encryption_type']) ? $params['encryption_type'] : 'md5'; … … 48 48 // This applies to admins and users. In seconds. 21600 seconds = 6 hours. 49 49 $this->_params['login_timeout'] = isset($params['login_timeout']) ? $params['login_timeout'] : $CFG->login_timeout; 50 50 51 51 // The maximum amount of time a user is allowed to be idle before their session expires. They will be forced to login again if they expire. 52 52 // This applies to admins and users. In seconds. 3600 seconds = 1 hour. … … 56 56 // Days and hours, like this: 'DD:HH' 57 57 $this->_params['login_abuse_timeframe'] = isset($params['login_abuse_timeframe']) ? $params['login_abuse_timeframe'] : $CFG->login_abuse_timeframe; 58 59 // When an account is accessed from this many different IPs, the user's password is reset and they are issued a warning.60 $this->_params['login_abuse_warning_ips'] = isset($params['login_abuse_warning_ips']) ? $params['login_abuse_warning_ips'] : $CFG->login_abuse_warning_ips;61 58 62 59 // The number of warnings a user will receive (and their password reset each time) before their account is completely blocked. … … 71 68 $this->_params['login_abuse_ip_bitmask'] = isset($params['login_abuse_ip_bitmask']) ? $params['login_abuse_ip_bitmask'] : $CFG->login_abuse_ip_bitmask; 72 69 73 // Specify usernames to exclude from the account abuse detection system. This is specified as a hardcoded array provided at 70 // Specify usernames to exclude from the account abuse detection system. This is specified as a hardcoded array provided at 74 71 // class instantiation time, or can be saved in the user_tbl under the login_abuse_exempt field. 75 72 $this->_params['login_abuse_exempt_usernames'] = isset($params['login_abuse_exempt_usernames']) && is_array($params['login_abuse_exempt_usernames']) ? $params['login_abuse_exempt_usernames'] : $CFG->login_abuse_exempt_usernames; 76 73 77 74 $this->_params['trusted_networks'] = isset($params['trusted_networks']) && is_array($params['trusted_networks']) ? $params['trusted_networks'] : $CFG->trusted_networks; 78 75 79 76 // Feature: Allow user accounts to be blocked? Requires the user table to have the columns 'blocked' and 'blocked_reason' 80 77 $this->_params['features']['blocking'] = isset($params['features']['blocking']) ? $params['features']['blocking'] : false; 81 78 82 79 // Feature: Use a login_tbl to detect excessive logins. This requires blocking to be enabled. 83 80 $this->_params['features']['abuse_detection'] = isset($params['features']['abuse_detection']) ? $params['features']['abuse_detection'] : false; 84 81 85 82 // Array of usernames which are exempt from remote_ip matching. Users behind proxy servers should be appended to this array so their shifting remote IP will not log them out. 86 83 $this->_params['match_remote_ip_exempt_usernames'] = isset($params['match_remote_ip_exempt_usernames']) && is_array($params['match_remote_ip_exempt_usernames']) ? $params['match_remote_ip_exempt_usernames'] : $CFG->match_remote_ip_exempt_usernames; … … 88 85 // Feature: Match the user's current remote IP against the one they logged in with. 89 86 $this->_params['features']['match_remote_ip'] = isset($params['features']['match_remote_ip']) ? $params['features']['match_remote_ip'] : true; 90 87 91 88 $this->_auth_name = '_auth_' . $this->_params['auth_name']; 92 89 } … … 100 97 { 101 98 dbQuery(" 102 UPDATE " . $this->_params['user_tbl'] . " SET 99 UPDATE " . $this->_params['user_tbl'] . " SET 103 100 seconds_online = seconds_online + (UNIX_TIMESTAMP() - UNIX_TIMESTAMP(last_access_datetime)), 104 101 last_login_datetime = '0000-00-00 00:00:00' … … 145 142 } 146 143 } 147 144 148 145 /** 149 146 * Set the features of an auth object. … … 186 183 */ 187 184 function authenticate($username, $password) 188 { 185 { 189 186 // Query DB for user matching credentials. 190 187 $qid = dbQuery(" 191 SELECT *, " . $this->_params['user_id_column'] . " AS user_id 188 SELECT *, " . $this->_params['user_id_column'] . " AS user_id 192 189 FROM " . $this->_params['user_tbl'] . " 193 190 WHERE BINARY username = '" . mysql_real_escape_string($username) . "' 194 191 AND BINARY userpass = '" . mysql_real_escape_string($this->encryptPassword($password)) . "' 195 192 "); 196 193 197 194 // Return user data if found. 198 195 if ($user_data = mysql_fetch_assoc($qid)) { … … 237 234 'user_data' => $user_data 238 235 ); 239 236 240 237 /** 241 238 * Check if the account is blocked, respond in context to reason. Cancel the login if blocked. … … 243 240 if ($this->getFeature('blocking')) { 244 241 if (!empty($user_data['blocked'])) { 245 242 246 243 logMsg(sprintf('Login failed, blocked account. User: %s (%s) Reason: %s', $user_data['user_id'], $username, $user_data['blocked_reason']), LOG_NOTICE, __FILE__, __LINE__); 247 244 248 245 switch ($user_data['blocked_reason']) { 249 246 case 'account abuse' : … … 254 251 break; 255 252 } 256 253 257 254 // No login: user is blocked! 258 255 $this->clearAuth(); … … 260 257 } 261 258 } 262 259 263 260 /** 264 261 * Check the login_tbl for too many logins under this account. … … 298 295 dbQuery(" 299 296 INSERT INTO " . $this->_params['login_tbl'] . " ( 300 " . $this->_params['user_id_column'] . ", 301 login_datetime, 297 " . $this->_params['user_id_column'] . ", 298 login_datetime, 302 299 remote_ip_binary 303 300 ) VALUES ( … … 308 305 "); 309 306 } 310 307 311 308 // Update user table with this login. 312 309 dbQuery(" … … 317 314 WHERE " . $this->_params['user_id_column'] . " = '" . $this->getVal('user_id') . "' 318 315 "); 319 316 320 317 // We're logged-in! 321 318 return true; … … 344 341 return (mysql_num_rows($qid) > 0); 345 342 } 346 343 347 344 // User login test need only be run once per script execution. We cache the result in the session. 348 345 if ($this->_authentication_tested && isset($_SESSION[$this->_auth_name]['authenticated'])) { 349 346 return $_SESSION[$this->_auth_name]['authenticated']; 350 347 } 351 348 352 349 // Tesing login should occur once. This is the first time. Set flag. 353 350 $this->_authentication_tested = true; 354 351 355 352 // Some users will access from networks with changing IP number (i.e. behind a proxy server). These users must be allowed entry be adding their IP to the list of trusted_networks. 356 353 if ($trusted_net = ipInRange(getRemoteAddr(), $this->_params['trusted_networks'])) { 357 354 $user_in_trusted_network = true; 358 logMsg(sprintf('%s%s accessing from trusted network %s', 359 ucfirst($this->_params['auth_name']), 355 logMsg(sprintf('%s%s accessing from trusted network %s', 356 ucfirst($this->_params['auth_name']), 360 357 ($this->getVal('user_id') ? ' ' . $this->getVal('user_id') . ' (' . $this->getVal('username') . ')' : ''), 361 358 $trusted_net … … 363 360 } else if (preg_match('/proxy.aol.com$/i', getRemoteAddr(true))) { 364 361 $user_in_trusted_network = true; 365 logMsg(sprintf('%s%s accessing from trusted network proxy.aol.com', 366 ucfirst($this->_params['auth_name']), 362 logMsg(sprintf('%s%s accessing from trusted network proxy.aol.com', 363 ucfirst($this->_params['auth_name']), 367 364 ($this->getVal('user_id') ? ' ' . $this->getVal('user_id') . ' (' . $this->getVal('username') . ')' : '') 368 365 ), LOG_NOTICE, __FILE__, __LINE__); … … 370 367 $user_in_trusted_network = false; 371 368 } 372 369 373 370 // Do we match the user's remote IP at all? Yes, if set in config and not disabled for specific user. 374 371 if ($this->getFeature('match_remote_ip') && !$this->getVal('match_remote_ip_exempt')) { 375 372 $remote_ip_is_matched = ($_SESSION[$this->_auth_name]['remote_ip'] == getRemoteAddr() || $user_in_trusted_network); 376 373 } else { 377 logMsg(sprintf('%s%s exempt from remote_ip match.', 378 ucfirst($this->_params['auth_name']), 374 logMsg(sprintf('%s%s exempt from remote_ip match.', 375 ucfirst($this->_params['auth_name']), 379 376 ($this->getVal('user_id') ? ' ' . $this->getVal('user_id') . ' (' . $this->getVal('username') . ')' : '') 380 377 ), LOG_DEBUG, __FILE__, __LINE__); 381 378 $remote_ip_is_matched = true; 382 379 } 383 380 384 381 // Test login with information stored in session. Skip IP matching for users from trusted networks. 385 382 if (true === $_SESSION[$this->_auth_name]['authenticated'] … … 394 391 // Update the DB with the last_access_datetime and increment the seconds_online. 395 392 dbQuery(" 396 UPDATE " . $this->_params['user_tbl'] . " SET 393 UPDATE " . $this->_params['user_tbl'] . " SET 397 394 seconds_online = seconds_online + (UNIX_TIMESTAMP() - UNIX_TIMESTAMP(last_access_datetime)) + 1, 398 395 last_access_datetime = '" . $this->getVal('last_access_datetime') . "' … … 408 405 // User is authenticated, but login has expired. 409 406 raiseMsg(sprintf(_("Your %s session has closed. You need to log-in again."), strtolower($this->_params['auth_name'])), MSG_NOTICE, __FILE__, __LINE__); 410 407 411 408 // Log the reason for login expiration. 412 409 $expire_reasons = array(); … … 460 457 * This sets the 'blocked' field for a user in the user_tbl, and also 461 458 * adds an optional reason 462 * 459 * 463 460 * @param string $reason The reason for blocking the account. 464 461 */ … … 470 467 logMsg(sprintf('Blocked reason provided is greater than 255 characters: %s', $reason), LOG_WARNING, __FILE__, __LINE__); 471 468 } 472 469 473 470 // Get user_id if specified. 474 471 $user_id = isset($user_id) ? $user_id : $this->getVal('user_id'); … … 483 480 484 481 /** 485 * Unblocks a user in the user_tbl, and clears any blocked_reason. 482 * Unblocks a user in the user_tbl, and clears any blocked_reason. 486 483 */ 487 484 function unblockAccount($user_id=null) … … 507 504 */ 508 505 function usernameExists($username) 509 { 506 { 510 507 $qid = dbQuery("SELECT 1 FROM " . $this->_params['user_tbl'] . " WHERE username = '" . mysql_real_escape_string($username) . "'"); 511 508 return (mysql_num_rows($qid) > 0); … … 520 517 */ 521 518 function getUsername($user_id) 522 { 519 { 523 520 $qid = dbQuery("SELECT " . $this->_params['username_column'] . " FROM " . $this->_params['user_tbl'] . " WHERE " . $this->_params['user_id_column'] . " = '" . mysql_real_escape_string($user_id) . "'"); 524 521 if (list($username) = mysql_fetch_row($qid)) { … … 560 557 return $str; 561 558 } 562 559 563 560 /** 564 561 * … … 570 567 return $password; 571 568 break; 572 569 573 570 case 'crypt' : 574 571 return crypt($password, crypt($password)); 575 572 break; 576 573 577 574 case 'sha1' : 578 575 if (function_exists('sha1')) { // Only in PHP 4.3.0+ … … 580 577 break; 581 578 } 582 579 583 580 case 'md5' : 584 581 default : … … 589 586 590 587 /** 591 * 588 * 592 589 */ 593 590 function setPassword($user_id=null, $password) 594 { 591 { 595 592 // Get user_id if specified. 596 593 $user_id = isset($user_id) ? $user_id : $this->getVal('user_id'); 597 594 598 595 // Issue the password change query. 599 596 dbQuery(" 600 UPDATE " . $this->_params['user_tbl'] . " 597 UPDATE " . $this->_params['user_tbl'] . " 601 598 SET userpass = '" . mysql_real_escape_string($this->encryptPassword($password)) . "' 602 599 WHERE " . $this->_params['user_id_column'] . " = '" . mysql_real_escape_string($user_id) . "' … … 615 612 { 616 613 global $CFG; 617 614 618 615 // Get user_id if specified. 619 616 $user_id = isset($user_id) ? $user_id : $this->getVal('user_id'); 620 617 621 618 // Reset password of a specific user. 622 619 $qid = dbQuery(" … … 628 625 // Get new password. 629 626 $password = $this->generatePassword(); 630 627 631 628 // Issue the password change query. 632 629 dbQuery(" 633 UPDATE " . $this->_params['user_tbl'] . " 630 UPDATE " . $this->_params['user_tbl'] . " 634 631 SET userpass = '" . mysql_real_escape_string($this->encryptPassword($password)) . "' 635 632 WHERE " . $this->_params['user_id_column'] . " = '" . mysql_real_escape_string($user_id) . "' … … 641 638 mail($user_data['email'], $email_subject, $email_body, "From: $CFG->site_name <$CFG->site_email>\r\n", $CFG->envelope_sender_address); 642 639 } 643 640 644 641 return array('username'=>$user_data['username'], 'userpass'=>$password); 645 642 } 646 643 647 644 /** 648 645 * If the current user has access to the specified $security_zone, return true. 649 * If the optional $priv is supplied, test that against the zone. 646 * If the optional $priv is supplied, test that against the zone. 650 647 * 651 648 * @param constant $security_zone string of comma delimited priviliges for the zone … … 658 655 $zone_members = preg_split('/,\s*/', $security_zone); 659 656 $priv = empty($priv) ? $this->getVal('priv') : $priv; 660 661 // If the current user's privilege level is NOT in that array or if the 657 658 // If the current user's privilege level is NOT in that array or if the 662 659 // user has no privilege, return false. Otherwise the user is clear. 663 660 if (!in_array($priv, $zone_members) || empty($priv)) { … … 667 664 } 668 665 } 669 666 670 667 /** 671 668 * This function tests a list of arguments $security_zone against the priv that the current user has. 672 * If the user doesn't have one of the supplied privs, die. 669 * If the user doesn't have one of the supplied privs, die. 673 670 * 674 671 * @param constant $security_zone string of comma delimited priviliges for the zone … … 677 674 { 678 675 $zone_members = preg_split('/,\s*/', $security_zone); 679 680 /* If the current user's privilege level is NOT in that array or if the 676 677 /* If the current user's privilege level is NOT in that array or if the 681 678 * user has no privilege, DIE with a message. */ 682 679 if (!in_array($this->getVal('priv'), $zone_members) || !$this->getVal('priv')) { … … 691 688 // CIDR cheatsheet 692 689 // 693 // Netmask Netmask (binary) CIDR Notes 690 // Netmask Netmask (binary) CIDR Notes 694 691 // _____________________________________________________________________________ 695 692 // 255.255.255.255 11111111.11111111.11111111.11111111 /32 Host (single addr) … … 702 699 // 255.255.255.128 11111111.11111111.11111111.10000000 /25 126 useable 703 700 // 255.255.255.0 11111111.11111111.11111111.00000000 /24 "Class C" 254 useable 704 // 701 // 705 702 // 255.255.254.0 11111111.11111111.11111110.00000000 /23 2 Class C's 706 703 // 255.255.252.0 11111111.11111111.11111100.00000000 /22 4 Class C's … … 711 708 // 255.255.128.0 11111111.11111111.10000000.00000000 /17 128 Class C's 712 709 // 255.255.0.0 11111111.11111111.00000000.00000000 /16 "Class B" 713 // 710 // 714 711 // 255.254.0.0 11111111.11111110.00000000.00000000 /15 2 Class B's 715 712 // 255.252.0.0 11111111.11111100.00000000.00000000 /14 4 Class B's … … 720 717 // 255.128.0.0 11111111.10000000.00000000.00000000 /9 128 Class B's 721 718 // 255.0.0.0 11111111.00000000.00000000.00000000 /8 "Class A" 722 // 719 // 723 720 // 254.0.0.0 11111110.00000000.00000000.00000000 /7 724 721 // 252.0.0.0 11111100.00000000.00000000.00000000 /6
Note: See TracChangeset
for help on using the changeset viewer.