[Linpha-cvs] SF.net SVN: linpha: [4854] trunk/linpha2
Status: Inactive
Brought to you by:
bzrudi
Menu
▾
▴
[Linpha-cvs] SF.net SVN: linpha: [4854] trunk/linpha2
|
From: <fan...@us...> - 2008-02-06 23:26:04
|
Revision: 4854
http://linpha.svn.sourceforge.net/linpha/?rev=4854&view=rev
Author: fangehrn
Date: 2008-02-06 15:25:59 -0800 (Wed, 06 Feb 2008)
Log Message:
-----------
2008-02-06 flo
* User
- implemented "improved hash algorithm" for more secure password hashes
* Cookies
- added cookie settings
Modified Paths:
--------------
trunk/linpha2/ChangeLog
trunk/linpha2/admin/maintenance.php
trunk/linpha2/admin/metadata_define.php
trunk/linpha2/admin/metadata_define_post.php
trunk/linpha2/admin/permissions_users.php
trunk/linpha2/admin/settings_plugins.php
trunk/linpha2/docs/dev/TODO.txt
trunk/linpha2/install/step11_finish.php
trunk/linpha2/lib/classes/linpha.admin.class.php
trunk/linpha2/lib/classes/linpha.sql.class.php
trunk/linpha2/lib/include/sql/sql.data.php
trunk/linpha2/lib/include/sql/sql.mysql.php
trunk/linpha2/lib/include/sql/sql.oci8po.php
trunk/linpha2/lib/include/sql/sql.postgres.php
trunk/linpha2/lib/include/sql/sql.sqlite.php
trunk/linpha2/reset_database.php
trunk/linpha2/templates/default/fragments.php
Modified: trunk/linpha2/ChangeLog
===================================================================
--- trunk/linpha2/ChangeLog 2008-02-06 20:50:49 UTC (rev 4853)
+++ trunk/linpha2/ChangeLog 2008-02-06 23:25:59 UTC (rev 4854)
@@ -4,6 +4,12 @@
* common.php/linpha.class.php
- fixed LINPHA_CLIENT when linpha is installed not to a subfolder
- secured $_SERVER['PATH_INFO']
+
+ * User
+ - implemented "improved hash algorithm" for more secure password hashes
+
+ * Cookies
+ - added cookie settings
2008-02-04 flo
* Some more work on the installer
Modified: trunk/linpha2/admin/maintenance.php
===================================================================
--- trunk/linpha2/admin/maintenance.php 2008-02-06 20:50:49 UTC (rev 4853)
+++ trunk/linpha2/admin/maintenance.php 2008-02-06 23:25:59 UTC (rev 4854)
@@ -1,25 +1,25 @@
-<?php
-if(!defined('LINPHA_DIR')) { exit(1); }
-
-if(!isset($cat2))
-{
- $cat2 = 'import';
-}
-
-$array_menu = array(
- 'import' => array('name' => i18n("Import"), 'link' => 'maintenance_import'),
- 'db' => array('name' => i18n("Database"), 'link' => 'maintenance_db'),
-);
-
-LinAdmin::printAdminMenu($array_menu,$cat2);
-
-switch($cat2)
-{
- case 'import':
- include_once(LINPHA_DIR.'/admin/maintenance_import.php');
- break;
- case 'db':
- include_once(LINPHA_DIR.'/admin/maintenance_db.php');
- break;
-}
-?>
+<?php
+if(!defined('LINPHA_DIR')) { exit(1); }
+
+if(!isset($cat2))
+{
+ $cat2 = 'import';
+}
+
+$array_menu = array(
+ 'import' => array('name' => i18n("Import"), 'link' => 'maintenance_import'),
+ 'db' => array('name' => i18n("Database"), 'link' => 'maintenance_db'),
+);
+
+LinAdmin::printAdminMenu($array_menu,$cat2);
+
+switch($cat2)
+{
+ case 'import':
+ include_once(LINPHA_DIR.'/admin/maintenance_import.php');
+ break;
+ case 'db':
+ include_once(LINPHA_DIR.'/admin/maintenance_db.php');
+ break;
+}
+?>
Modified: trunk/linpha2/admin/metadata_define.php
===================================================================
--- trunk/linpha2/admin/metadata_define.php 2008-02-06 20:50:49 UTC (rev 4853)
+++ trunk/linpha2/admin/metadata_define.php 2008-02-06 23:25:59 UTC (rev 4854)
@@ -431,10 +431,10 @@
{
obj_from.selectedIndex = obj_from.selectedIndex - 1;
}
- else if( old_index > obj_from.length -1 )
- {
- obj_from.selectedIndex = obj_from.length -1;
- }
+ else if( old_index > obj_from.length -1 )
+ {
+ obj_from.selectedIndex = obj_from.length -1;
+ }
else
{
obj_from.selectedIndex = old_index;
Modified: trunk/linpha2/admin/metadata_define_post.php
===================================================================
--- trunk/linpha2/admin/metadata_define_post.php 2008-02-06 20:50:49 UTC (rev 4853)
+++ trunk/linpha2/admin/metadata_define_post.php 2008-02-06 23:25:59 UTC (rev 4854)
@@ -1,145 +1,145 @@
-<?php
-/*
-* Copyright (c) 2005 Heiko Rutenbeck <bz...@tu...>
-* Florian Angehrn
-*
-* This program is free software; you can redistribute it and/or modify
-* it under the terms of the GNU General Public License as published by
-* the Free Software Foundation; either version 2 of the License, or
-* (at your option) any later version.
-*
-* This program is distributed in the hope that it will be useful,
-* but WITHOUT ANY WARRANTY; without even the implied warranty of
-* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-* GNU General Public License for more details.
-*
-* You should have received a copy of the GNU General Public License
-* along with this program; if not, write to the Free Software
-* Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
-*/
-
-/**
- * @package admin
- * @subpackage MetaData
- *
- * For a description of the table structure, flags, etc. consult the developper
- * wiki at http://linpha.sourceforge.net/wiki/index.php/Tables_linpha_meta_fields
- */
-
-if(!defined('LINPHA_DIR')) { exit(1); }
-
-switch($_POST['cmd'])
-{
-case 'update_builtin':
-
- foreach($_POST['builtin'] AS $key=>$value)
- {
- if($value) {
- $flag = 5;
- } else {
- $flag = 6;
- }
-
- $linpha->db->Execute("UPDATE ".LIN_PREFIX."meta_fields SET " .
- "flags = '".$flag."' ".
- "WHERE id = '".LinSql::linAddslashes($key)."'");
- }
-
- break;
-
-case 'add_new':
- /**
- * check for duplicates with the same name
- */
- $linpha->db->Execute("INSERT into ".LIN_PREFIX."meta_fields (name, field_type, flags) " .
- "VALUES ('".LinSql::linAddslashes($_POST['new_name'])."', '".LinSql::linAddslashes($_POST['new_type'])."', '7') ");
- break;
-
-case 'change_field':
-
- if(LinSql::linAddslashes($_POST['builtin'][$_POST['id']])) {
- $flag = 7;
- } else {
- $flag = 8;
- }
-
- $linpha->db->Execute("UPDATE ".LIN_PREFIX."meta_fields SET " .
- "name = '".LinSql::linAddslashes($_POST['new_name'])."', ".
- "flags = '".$flag."' ".
- "WHERE id = '".LinSql::linAddslashes($_POST['id'])."'");
- break;
-
-case 'delete':
- ?>
- <h3>Delete selected field</h3>
- Really sure? all will be lost...
- <form action="./?cat=metadata_define_own" method="POST">
- <input type="hidden" name="cmd" value="do_delete" />
- <input type="hidden" name="id" value="<?php echo $_POST['id']; ?>" />
- <input type="submit" name="delete" value="delete" />
- <a href="./?cat=metadata_define_own">Cancel</a>
- </form>
- <br /><br />
- <?php
- break;
-
-case 'do_delete':
- $linpha->db->Execute("DELETE FROM ".LIN_PREFIX."meta_fields WHERE id = '".LinSql::linAddslashes($_POST['id'])."'");
- break;
-
-case 'add_new_category':
- if(isset($_POST['isprivate'])) {
- $isprivate = 1;
- } else {
- $isprivate = 0;
- }
- $linpha->db->Execute("INSERT into ".LIN_PREFIX."meta_category (field_id, name, isprivate) VALUES (" .
- "'".LinSql::linAddslashes($_POST['field_id'])."'," .
- "'".LinSql::linAddslashes($_POST['new_name'])."'," .
- "'".$isprivate."')");
-
- break;
-
-case 'mod_category':
- if(isset($_POST['isprivate'])) {
- $isprivate = 1;
- } else {
- $isprivate = 0;
- }
-
- $linpha->db->Execute("UPDATE ".LIN_PREFIX."meta_category SET " .
- "name = '".LinSql::linAddslashes($_POST['new_name'])."', ".
- "isprivate = '".$isprivate."' ".
- "WHERE id = '".LinSql::linAddslashes($_POST['id'])."'");
-
- break;
-
-case 'delete_category':
- $linpha->db->Execute("DELETE FROM ".LIN_PREFIX."meta_category WHERE id = '".LinSql::linAddslashes($_POST['id'])."'");
- break;
-
-case 'update_config_metadata':
- $linpha->sql->config->updateConfig('sys_image_'.$cat3,$_POST['metadata_config_enable']);
- $linpha->sql->config->reloadConfig();
- break;
-
-case 'create_metadata_table':
- if( ! isset($_POST['selected_fields'])) {
- $_POST['selected_fields'] = Array();
- }
- if(isset($cat3)) {
- if(LIN_DB_TYPE == "mysql") {
- $linpha->db->Execute("DROP TABLE IF EXISTS ".LIN_PREFIX."meta_$cat3");
- } else {
- @$linpha->db->Execute("DROP TABLE ".LIN_PREFIX."meta_$cat3");
- }
- $linpha->db->Execute(LinMetaData::createMetaDataTable( $_POST['selected_fields'], $cat3));
- }
- break;
-
-default:
- echo i18n("FATAL: Unknown POST Request");
- exit();
- break;
-}
-?>
+<?php
+/*
+* Copyright (c) 2005 Heiko Rutenbeck <bz...@tu...>
+* Florian Angehrn
+*
+* This program is free software; you can redistribute it and/or modify
+* it under the terms of the GNU General Public License as published by
+* the Free Software Foundation; either version 2 of the License, or
+* (at your option) any later version.
+*
+* This program is distributed in the hope that it will be useful,
+* but WITHOUT ANY WARRANTY; without even the implied warranty of
+* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+* GNU General Public License for more details.
+*
+* You should have received a copy of the GNU General Public License
+* along with this program; if not, write to the Free Software
+* Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+*/
+
+/**
+ * @package admin
+ * @subpackage MetaData
+ *
+ * For a description of the table structure, flags, etc. consult the developper
+ * wiki at http://linpha.sourceforge.net/wiki/index.php/Tables_linpha_meta_fields
+ */
+
+if(!defined('LINPHA_DIR')) { exit(1); }
+
+switch($_POST['cmd'])
+{
+case 'update_builtin':
+
+ foreach($_POST['builtin'] AS $key=>$value)
+ {
+ if($value) {
+ $flag = 5;
+ } else {
+ $flag = 6;
+ }
+
+ $linpha->db->Execute("UPDATE ".LIN_PREFIX."meta_fields SET " .
+ "flags = '".$flag."' ".
+ "WHERE id = '".LinSql::linAddslashes($key)."'");
+ }
+
+ break;
+
+case 'add_new':
+ /**
+ * check for duplicates with the same name
+ */
+ $linpha->db->Execute("INSERT into ".LIN_PREFIX."meta_fields (name, field_type, flags) " .
+ "VALUES ('".LinSql::linAddslashes($_POST['new_name'])."', '".LinSql::linAddslashes($_POST['new_type'])."', '7') ");
+ break;
+
+case 'change_field':
+
+ if(LinSql::linAddslashes($_POST['builtin'][$_POST['id']])) {
+ $flag = 7;
+ } else {
+ $flag = 8;
+ }
+
+ $linpha->db->Execute("UPDATE ".LIN_PREFIX."meta_fields SET " .
+ "name = '".LinSql::linAddslashes($_POST['new_name'])."', ".
+ "flags = '".$flag."' ".
+ "WHERE id = '".LinSql::linAddslashes($_POST['id'])."'");
+ break;
+
+case 'delete':
+ ?>
+ <h3>Delete selected field</h3>
+ Really sure? all will be lost...
+ <form action="./?cat=metadata_define_own" method="POST">
+ <input type="hidden" name="cmd" value="do_delete" />
+ <input type="hidden" name="id" value="<?php echo $_POST['id']; ?>" />
+ <input type="submit" name="delete" value="delete" />
+ <a href="./?cat=metadata_define_own">Cancel</a>
+ </form>
+ <br /><br />
+ <?php
+ break;
+
+case 'do_delete':
+ $linpha->db->Execute("DELETE FROM ".LIN_PREFIX."meta_fields WHERE id = '".LinSql::linAddslashes($_POST['id'])."'");
+ break;
+
+case 'add_new_category':
+ if(isset($_POST['isprivate'])) {
+ $isprivate = 1;
+ } else {
+ $isprivate = 0;
+ }
+ $linpha->db->Execute("INSERT into ".LIN_PREFIX."meta_category (field_id, name, isprivate) VALUES (" .
+ "'".LinSql::linAddslashes($_POST['field_id'])."'," .
+ "'".LinSql::linAddslashes($_POST['new_name'])."'," .
+ "'".$isprivate."')");
+
+ break;
+
+case 'mod_category':
+ if(isset($_POST['isprivate'])) {
+ $isprivate = 1;
+ } else {
+ $isprivate = 0;
+ }
+
+ $linpha->db->Execute("UPDATE ".LIN_PREFIX."meta_category SET " .
+ "name = '".LinSql::linAddslashes($_POST['new_name'])."', ".
+ "isprivate = '".$isprivate."' ".
+ "WHERE id = '".LinSql::linAddslashes($_POST['id'])."'");
+
+ break;
+
+case 'delete_category':
+ $linpha->db->Execute("DELETE FROM ".LIN_PREFIX."meta_category WHERE id = '".LinSql::linAddslashes($_POST['id'])."'");
+ break;
+
+case 'update_config_metadata':
+ $linpha->sql->config->updateConfig('sys_image_'.$cat3,$_POST['metadata_config_enable']);
+ $linpha->sql->config->reloadConfig();
+ break;
+
+case 'create_metadata_table':
+ if( ! isset($_POST['selected_fields'])) {
+ $_POST['selected_fields'] = Array();
+ }
+ if(isset($cat3)) {
+ if(LIN_DB_TYPE == "mysql") {
+ $linpha->db->Execute("DROP TABLE IF EXISTS ".LIN_PREFIX."meta_$cat3");
+ } else {
+ @$linpha->db->Execute("DROP TABLE ".LIN_PREFIX."meta_$cat3");
+ }
+ $linpha->db->Execute(LinMetaData::createMetaDataTable( $_POST['selected_fields'], $cat3));
+ }
+ break;
+
+default:
+ echo i18n("FATAL: Unknown POST Request");
+ exit();
+ break;
+}
+?>
Modified: trunk/linpha2/admin/permissions_users.php
===================================================================
--- trunk/linpha2/admin/permissions_users.php 2008-02-06 20:50:49 UTC (rev 4853)
+++ trunk/linpha2/admin/permissions_users.php 2008-02-06 23:25:59 UTC (rev 4854)
@@ -52,8 +52,7 @@
{
$sql_str_new_password = "";
} else {
- $md5_pass = md5($_POST['mod_user_pass']);
- $sql_str_new_password = "password='".$md5_pass."', ";
+ $sql_str_new_password = "password='".$GLOBALS['linpha']->sql->getPWHash($_POST['mod_user_pass'])."', ";
}
$GLOBALS['linpha']->db->Execute("UPDATE ".LIN_PREFIX."users SET ".
@@ -62,6 +61,8 @@
$sql_str_new_password.
"user_email='".LinSql::linAddslashes($_POST['mod_user_mail'])."' ".
"WHERE id='".LinSql::linAddslashes($_POST['id'])."'");
+
+ unset($sql_str_new_password, $_POST['mod_user_pass'], $_REQUEST['mod_user_pass']);
/**
* if current account is changed update session variables and login cookie
@@ -73,7 +74,7 @@
/**
* does not work, because headers are already sent
- *
+ * @TODO
if(isset($_COOKIE['linpha_userid']) &&
isset($_COOKIE['linpha_password']) &&
isset($md5_pass))
@@ -117,8 +118,11 @@
$GLOBALS['linpha']->db->Execute("INSERT INTO ".LIN_PREFIX."users " .
"(username, password, user_email, display_name) ".
"VALUES " .
- "('".LinSql::linAddslashes($_POST['new_user_name'])."', '".md5($_POST['new_user_pass'])."', ".
+ "('".LinSql::linAddslashes($_POST['new_user_name'])."', '".$GLOBALS['linpha']->sql->getPWHash($_POST['new_user_pass'])."', ".
"'".LinSql::linAddslashes($_POST['new_user_mail'])."', '".LinSql::linAddslashes($_POST['new_user_fullname'])."')");
+
+ unset($_POST['new_user_pass'], $_REQUEST['new_user_pass']);
+
break;
}
}
Modified: trunk/linpha2/admin/settings_plugins.php
===================================================================
--- trunk/linpha2/admin/settings_plugins.php 2008-02-06 20:50:49 UTC (rev 4853)
+++ trunk/linpha2/admin/settings_plugins.php 2008-02-06 23:25:59 UTC (rev 4854)
@@ -1,136 +1,136 @@
-<?php
-if(!defined('LINPHA_DIR')) { exit(1); }
-
-if(!isset($cat3))
-{
- $cat3 = 'enable';
-}
-
-$arrPlugins = LinAdmin::getPlugins();
-
-/**
- * save settings before showing menu
- */
- if($cat3=='enable' && isset($_POST['cmd']) && $_POST['cmd']=='saveconfig')
- {
- foreach($arrPlugins as $value)
- {
- $arrPluginsFullName[] = 'plugins_'.$value.'_enable';
- }
-
- /**
- * create database tables and insert config data if necessary
- */
- foreach($arrPlugins as $value) // go through all plugins
- {
- // only if we enabled the plugin now and it didn't existed before
- if( isset($_POST['plugins_'.$value.'_enable'])
- && $_POST['plugins_'.$value.'_enable']=='1'
- && !isset($LinAdmin->option_value_system['plugins_'.$value.'_enable']) )
- {
- $str1 = i18n("Enabling plugin \"%s\"");
- linSysLog( sprintf($str1,$LinAdmin->description_array['plugins_'.$value]) );
-
- /**
- * create database tables
- */
- $includeFile = LINPHA_DIR.'/lib/plugins/'.$value.'/sql/sql.'.LIN_DB_TYPE.'.php';
- if( file_exists($includeFile) )
- {
- $sql_tables = array();
- include($includeFile);
-
- linSysLog(i18n("Creating tables"));
- foreach($sql_tables as $sqlStr)
- {
- $result = $linpha->db->Execute($sqlStr);
-
- // it the table already exists, we get automatically a nice message like
- // "Table 'linpha2_plugins_maps_markers' already exists"
- if(!$result) {
- linSysLog($linpha->db->ErrorMsg());
- }
- }
- }
-
- /**
- * insert config data
- */
- $includeFile = LINPHA_DIR.'/lib/plugins/'.$value.'/sql/sql.data.php';
- if( file_exists($includeFile) ) // this file always exists (it wouldnt be a plugin otherwise)
- {
- $sql_queries = array();
- include($includeFile);
-
- linSysLog(i18n("Insert config data"));
- foreach($sql_queries as $sqlStr)
- {
- $result = $linpha->db->Execute($sqlStr);
-
- // it the table already exists, we get automatically a nice message like
- // "Table 'linpha2_plugins_maps_markers' already exists"
- if(!$result) {
- linSysLog($linpha->db->ErrorMsg());
- }
- }
- }
-
- }
- }
-
- // set plugins_*_enable to '1'
- $LinAdmin->saveConfig($arrPluginsFullName);
- }
-
-/**
- * show menu
- */
-$array_menu = array(
- 'enable' => array('name' => i18n("Enable/Disable Plugins"), 'link' => 'settings_plugins_enable'),
-);
-foreach( $arrPlugins as $key=>$value)
-{
- if(isset($LinAdmin->option_value_system['plugins_'.$value.'_enable'])
- && $LinAdmin->option_value_system['plugins_'.$value.'_enable'] == '1'
- )
- {
- $array_menu[$value] = array(
- 'name' => $LinAdmin->description_array['plugins_'.$value],
- 'link' => 'settings_plugins_'.$value
- );
- }
-}
-
-LinAdmin::printAdminMenu($array_menu,$cat3);
-?>
-
-<form method="POST" action="<?php echo LINPHA_DIR.'/admin/?cat=settings_plugins_'.$cat3; ?>">
-<?php
-if($cat3=='enable')
-{
- foreach( $arrPlugins as $key=>$value)
- {
- if(isset($LinAdmin->option_value_system['plugins_'.$value.'_enable'])) {
- $optionValue = $LinAdmin->option_value_system['plugins_'.$value.'_enable'];
- } else {
- $optionValue = '0';
- }
-
- $LinAdmin->printAdminConfig(
- 'radio',
- $LinAdmin->getDescriptionByOptionName('plugins_'.$value),
- 'plugins_'.$value.'_enable',
- $optionValue
- );
- }
-}
-elseif(in_array($cat3,$arrPlugins)) // prevent including evil file
-{
- $includeFile = LINPHA_DIR.'/lib/plugins/'.$cat3.'/settings.'.$cat3.'.php';
- if( file_exists($includeFile))
- {
- include_once($includeFile);
- }
-}
-
+<?php
+if(!defined('LINPHA_DIR')) { exit(1); }
+
+if(!isset($cat3))
+{
+ $cat3 = 'enable';
+}
+
+$arrPlugins = LinAdmin::getPlugins();
+
+/**
+ * save settings before showing menu
+ */
+ if($cat3=='enable' && isset($_POST['cmd']) && $_POST['cmd']=='saveconfig')
+ {
+ foreach($arrPlugins as $value)
+ {
+ $arrPluginsFullName[] = 'plugins_'.$value.'_enable';
+ }
+
+ /**
+ * create database tables and insert config data if necessary
+ */
+ foreach($arrPlugins as $value) // go through all plugins
+ {
+ // only if we enabled the plugin now and it didn't existed before
+ if( isset($_POST['plugins_'.$value.'_enable'])
+ && $_POST['plugins_'.$value.'_enable']=='1'
+ && !isset($LinAdmin->option_value_system['plugins_'.$value.'_enable']) )
+ {
+ $str1 = i18n("Enabling plugin \"%s\"");
+ linSysLog( sprintf($str1,$LinAdmin->description_array['plugins_'.$value]) );
+
+ /**
+ * create database tables
+ */
+ $includeFile = LINPHA_DIR.'/lib/plugins/'.$value.'/sql/sql.'.LIN_DB_TYPE.'.php';
+ if( file_exists($includeFile) )
+ {
+ $sql_tables = array();
+ include($includeFile);
+
+ linSysLog(i18n("Creating tables"));
+ foreach($sql_tables as $sqlStr)
+ {
+ $result = $linpha->db->Execute($sqlStr);
+
+ // it the table already exists, we get automatically a nice message like
+ // "Table 'linpha2_plugins_maps_markers' already exists"
+ if(!$result) {
+ linSysLog($linpha->db->ErrorMsg());
+ }
+ }
+ }
+
+ /**
+ * insert config data
+ */
+ $includeFile = LINPHA_DIR.'/lib/plugins/'.$value.'/sql/sql.data.php';
+ if( file_exists($includeFile) ) // this file always exists (it wouldnt be a plugin otherwise)
+ {
+ $sql_queries = array();
+ include($includeFile);
+
+ linSysLog(i18n("Insert config data"));
+ foreach($sql_queries as $sqlStr)
+ {
+ $result = $linpha->db->Execute($sqlStr);
+
+ // it the table already exists, we get automatically a nice message like
+ // "Table 'linpha2_plugins_maps_markers' already exists"
+ if(!$result) {
+ linSysLog($linpha->db->ErrorMsg());
+ }
+ }
+ }
+
+ }
+ }
+
+ // set plugins_*_enable to '1'
+ $LinAdmin->saveConfig($arrPluginsFullName);
+ }
+
+/**
+ * show menu
+ */
+$array_menu = array(
+ 'enable' => array('name' => i18n("Enable/Disable Plugins"), 'link' => 'settings_plugins_enable'),
+);
+foreach( $arrPlugins as $key=>$value)
+{
+ if(isset($LinAdmin->option_value_system['plugins_'.$value.'_enable'])
+ && $LinAdmin->option_value_system['plugins_'.$value.'_enable'] == '1'
+ )
+ {
+ $array_menu[$value] = array(
+ 'name' => $LinAdmin->description_array['plugins_'.$value],
+ 'link' => 'settings_plugins_'.$value
+ );
+ }
+}
+
+LinAdmin::printAdminMenu($array_menu,$cat3);
+?>
+
+<form method="POST" action="<?php echo LINPHA_DIR.'/admin/?cat=settings_plugins_'.$cat3; ?>">
+<?php
+if($cat3=='enable')
+{
+ foreach( $arrPlugins as $key=>$value)
+ {
+ if(isset($LinAdmin->option_value_system['plugins_'.$value.'_enable'])) {
+ $optionValue = $LinAdmin->option_value_system['plugins_'.$value.'_enable'];
+ } else {
+ $optionValue = '0';
+ }
+
+ $LinAdmin->printAdminConfig(
+ 'radio',
+ $LinAdmin->getDescriptionByOptionName('plugins_'.$value),
+ 'plugins_'.$value.'_enable',
+ $optionValue
+ );
+ }
+}
+elseif(in_array($cat3,$arrPlugins)) // prevent including evil file
+{
+ $includeFile = LINPHA_DIR.'/lib/plugins/'.$cat3.'/settings.'.$cat3.'.php';
+ if( file_exists($includeFile))
+ {
+ include_once($includeFile);
+ }
+}
+
?>
\ No newline at end of file
Modified: trunk/linpha2/docs/dev/TODO.txt
===================================================================
--- trunk/linpha2/docs/dev/TODO.txt 2008-02-06 20:50:49 UTC (rev 4853)
+++ trunk/linpha2/docs/dev/TODO.txt 2008-02-06 23:25:59 UTC (rev 4854)
@@ -29,11 +29,6 @@
- compress javascripts (prototype and scriptaculous)
they are now nearly 200KB big
-- php session
- limit the session cookie not only to domain, but also to full url path
- we cannot use the same session in localhost/linpha1.0 and localhost/linpha2.0
- -> session_set_cookie_params()
-
## Big Todos
- Switch to strict mode
@@ -115,6 +110,12 @@
DONE
############################################################################
+- php session
+ limit the session cookie not only to domain, but also to full url path
+ we cannot use the same session in localhost/linpha1.0 and localhost/linpha2.0
+ -> session_set_cookie_params()
+
+
- how to handle common language strings like "Successfully updated data.", "Submit", "Access denied", "Check file permissions" ??
i suggest using define('LIN_STR_SUBMIT', "Submit"); in the language file
and use it this way: echo i18n( LIN_STR_SUBMIT );
Modified: trunk/linpha2/install/step11_finish.php
===================================================================
--- trunk/linpha2/install/step11_finish.php 2008-02-06 20:50:49 UTC (rev 4853)
+++ trunk/linpha2/install/step11_finish.php 2008-02-06 23:25:59 UTC (rev 4854)
@@ -57,8 +57,11 @@
echo "Adding linpha admin user... ";
$result = $linpha->db->Execute("INSERT INTO ".LIN_PREFIX."users (username, password, user_email) VALUES (" .
"'".LinSql::linAddslashes($_POST['admin_name'])."', " .
- "'".md5($_POST['admin_pass'])."', " .
+ "'".$linpha->sql->getPWHash($_POST['admin_pass'])."', " .
"'".LinSql::linAddslashes($_POST['admin_email'])."')");
+
+ unset($_POST['admin_pass'],$_REQUEST['admin_pass']);
+
if(!$result)
{
echo failed_msg();
Modified: trunk/linpha2/lib/classes/linpha.admin.class.php
===================================================================
--- trunk/linpha2/lib/classes/linpha.admin.class.php 2008-02-06 20:50:49 UTC (rev 4853)
+++ trunk/linpha2/lib/classes/linpha.admin.class.php 2008-02-06 23:25:59 UTC (rev 4854)
@@ -314,7 +314,7 @@
'sys_style_image_height',
'sys_style_image_nrprevnextthumbs',
- 'sys_user_autologin'
+ 'sys_session_autologin'
);
}*/
@@ -346,7 +346,8 @@
'sys_style_home_usedefaultwelcometext',
'sys_style_thumb_showsubfoldersseparate',
'sys_style_image_useeffects',
- 'sys_user_autologin',
+ 'sys_session_autologin',
+ 'sys_session_ipcheck',
'plugins_filemanager_enable',
'plugins_guestbook_enable',
Modified: trunk/linpha2/lib/classes/linpha.sql.class.php
===================================================================
--- trunk/linpha2/lib/classes/linpha.sql.class.php 2008-02-06 20:50:49 UTC (rev 4853)
+++ trunk/linpha2/lib/classes/linpha.sql.class.php 2008-02-06 23:25:59 UTC (rev 4854)
@@ -213,7 +213,7 @@
*/
$GLOBALS['linpha']->template = new linTemplate();
global $linTpl;
- $linTpl = $GLOBALS['linpha']->template;
+ $linTpl = $GLOBALS['linpha']->template; // this is just a reference
linIncludeLanguageFile();
@@ -263,34 +263,60 @@
*/
if (session_id() == '')
{
- session_name('linpha2');
+ if (empty($GLOBALS['linpha']->sql->config->value['sys_session_name'])) {
+ session_name('linpha2');
+ } else {
+ session_name($GLOBALS['linpha']->sql->config->value['sys_session_name']);
+ }
+
+ if (!empty($GLOBALS['linpha']->sql->config->value['sys_session_cookiepath'])) {
+ switch($GLOBALS['linpha']->sql->config->value['sys_session_cookiepath'])
+ {
+ case 'unchanged':
+ break;
+ case 'auto':
+ $path = LINPHA_LINK;
+ if (substr($path,strlen($path)-2)=='/?') {
+ $path = substr($path,0,strlen($path)-2);
+ }
+ session_set_cookie_params(0,$path);
+ break;
+ case 'root':
+ case 'top':
+ session_set_cookie_params(0,'/');
+ break;
+ default:
+ session_set_cookie_params(0,$GLOBALS['linpha']->sql->config->value['sys_session_cookiepath']);
+ break;
+ }
+ }
+
session_start();
}
/**
* read cookie
*/
- if($this->config->value['sys_user_autologin']) {
- if(!isset($_SESSION['user_name']) &&
- isset($_COOKIE['linpha_userid'])&&$_COOKIE['linpha_userid']!=""&&
- isset($_COOKIE['linpha_password'])&&$_COOKIE['linpha_password']!="")
+ if ($this->config->value['sys_session_autologin']
+ && !isset($_SESSION['user_name'])
+ && isset($_COOKIE['linpha_userid']) && $_COOKIE['linpha_userid']!=""
+ && isset($_COOKIE['linpha_password']) && $_COOKIE['linpha_password']!="")
+ {
+ $query = $GLOBALS['linpha']->db->Execute("SELECT username, password, display_name FROM ".LIN_PREFIX."users ".
+ "WHERE id = '".LinSql::linAddslashes($_COOKIE['linpha_userid'])."' ".
+ "AND password = '".LinSql::linAddslashes($_COOKIE['linpha_password'])."'");
+ if($data = $query->FetchRow())
{
- $query = $GLOBALS['linpha']->db->Execute("SELECT username, display_name FROM ".LIN_PREFIX."users ".
- "WHERE id = '".LinSql::linAddslashes($_COOKIE['linpha_userid'])."' ".
- "AND password = '".LinSql::linAddslashes($_COOKIE['linpha_password'])."'");
- if($data = $query->FetchRow())
- {
- linLog(LOG_TYPE_USER,LOG_NOTICE,'login','User '.$_POST['username'].': successfully logged in.');
- linSysLog(i18n("Successfully Logged In!"));
-
- $this->setUserInformation($data['username'],$_COOKIE['linpha_userid'],$data['display_name']);
- }
- else // wrong cookie
- {
- setcookie('linpha_userid'); // delete cookie linpha_userid
- setcookie('linpha_password'); // delete cookie linpha_password
- }
+ linLog(LOG_TYPE_USER,LOG_NOTICE,'login','User '.$data['username'].': successfully logged in (cookie).');
+ linSysLog(i18n("Successfully Logged In!"));
+
+ $this->setUserInformation($data['username'],$_COOKIE['linpha_userid'],$data['display_name']);
}
+ else // wrong cookie
+ {
+ setcookie('linpha_userid'); // delete cookie linpha_userid
+ setcookie('linpha_password'); // delete cookie linpha_password
+ }
}
/**
@@ -331,10 +357,12 @@
/**
* get user from DB
*/
- $data = $GLOBALS['linpha']->db->GetRow("SELECT id, username, password, id, display_name FROM ".LIN_PREFIX."users ".
+ $data = $GLOBALS['linpha']->db->GetRow("SELECT id, username, password, display_name FROM ".LIN_PREFIX."users ".
"WHERE username='".LinSql::linAddslashes($_POST['username'])."'");
- if( isset($data['username']) && isset($data['password']) && $_POST['username'] == $data['username'] && md5($_POST['password']) == $data['password'])
+ if ( isset($data['username']) && isset($data['password'])
+ && $_POST['username'] == $data['username']
+ && $this->compareHash($data['id'], $_POST['password'], $data['password']) )
{
/**
* sucessfull login
@@ -345,8 +373,9 @@
$this->setUserInformation($_POST['username'],$data['id'],$data['display_name']);
- if(isset($_POST['rememberme'])) {
- $this->setLinphaCookie($data['id'], md5($_POST['password']));
+ if ($GLOBALS['linpha']->sql->config->value['sys_session_autologin']
+ && isset($_POST['rememberme'])) {
+ $this->setLinphaCookie($data['id'], $data['password']); // this should be the updated hash (when needed) from compareHash() (call by reference)
}
/**
@@ -375,11 +404,15 @@
$this->isAdmin = false;
if(isset($_SESSION['user_id']) && isset($_SESSION['user_name']) && !empty($_SESSION['user_id']) && !empty($_SESSION['user_name']) )
{
- if( isset($_SERVER['REMOTE_ADDR']) && ($_SESSION['REMOTE_ADDR'] != $_SERVER['REMOTE_ADDR']) )
+ if( $GLOBALS['linpha']->sql->config->value['sys_session_ipcheck'] &&
+ isset($_SERVER['REMOTE_ADDR']) && ($_SESSION['REMOTE_ADDR'] != $_SERVER['REMOTE_ADDR']) )
{
/**
* ip check wrong!
*/
+ linLog(LOG_TYPE_USER,LOG_WARNING,'login','IP Check failed for '.$_SESSION['user_name'].
+ '. Session IP: '.$_SESSION['REMOTE_ADDR'].', Current IP: '.$_SERVER['REMOTE_ADDR']);
+
$this->isLoggedIn=false;
$_SESSION = array();
@@ -601,6 +634,66 @@
}
}
+ function getPWHash($pw)
+ {
+ require(LINPHA_DIR.'/lib/iha/iha.php');
+ $iha = new iha();
+
+ /**
+ * see not below
+ $sql_dir = '';
+ require_once( LINPHA_DIR.'/var/config.dir.php' );
+ $hash_secret = '';
+ require_once( LinFilesys::getFullPath( $sql_dir ) . '/config.sql.php' );
+ $iha->password = $hash_secret;*/
+
+ return $iha->hash($pw);
+ }
+ function compareHash($userid,$pw,&$hash)
+ {
+ if (strlen($hash)==32) // old md5 hash is used
+ {
+ if (md5($pw)==$hash)
+ {
+ // update old hash
+ $hash = $this->getPWHash($pw);
+ $GLOBALS['linpha']->db->Execute("UPDATE ".LIN_PREFIX."users " .
+ "SET password = '".LinSql::linAddslashes($hash)."' " .
+ "WHERE id = '".LinSql::linAddslashes($userid)."'");
+
+ return true;
+ }
+ else
+ {
+ return false;
+ }
+ }
+ else
+ {
+ require(LINPHA_DIR.'/lib/iha/iha.php');
+ $iha = new iha();
+
+ /**
+ * @TODO
+ * $hash_secret not used at the moment
+ * it has 2 main disadvantages:
+ * - we would have to change require_once(config.sql.php) to require(config.sql.php)
+ * - if the admin deletes the file config.sql.php users will not never be able to authenticate
+ * - it does not make sense to store the $hash_secret in the database instead of a file,
+ * this would be no additional security!
+ $sql_dir = '';
+ require_once( LINPHA_DIR.'/var/config.dir.php' );
+ $hash_secret = '';
+ require_once( LinFilesys::getFullPath( $sql_dir ) . '/config.sql.php' );
+ $iha->password = $hash_secret;*/
+
+ if ($iha->compare($pw, $hash))
+ return true;
+ else
+ return false;
+ }
+ }
+
/**
* other stuff
*/
@@ -777,7 +870,7 @@
*
* @uses LinSql::startSession
*/
- function setLinphaCookie($userid, $md5pw)
+ function setLinphaCookie($userid, $pwhash)
{
/**
* calculate correct path for cookie
@@ -829,7 +922,7 @@
* set the cookie
*/
setcookie("linpha_userid", $userid, (time() + 60 * 60 * 24 * 31), $php_self_dir);
- setcookie("linpha_password", $md5pw, (time() + 60 * 60 * 24 * 31), $php_self_dir);
+ setcookie("linpha_password", $pwhash, (time() + 60 * 60 * 24 * 31), $php_self_dir);
}
} // end class LinSql
Modified: trunk/linpha2/lib/include/sql/sql.data.php
===================================================================
--- trunk/linpha2/lib/include/sql/sql.data.php 2008-02-06 20:50:49 UTC (rev 4853)
+++ trunk/linpha2/lib/include/sql/sql.data.php 2008-02-06 23:25:59 UTC (rev 4854)
@@ -53,6 +53,11 @@
'sys_path_tmp_dir' => $_SESSION['tmp_dir'],
'sys_path_install_dir' => 'install',
+ 'sys_session_autologin' => '1',
+ 'sys_session_ipcheck' => '1',
+ 'sys_session_cookiepath' => 'unchanged',
+ 'sys_session_name' => 'linpha2',
+
'sys_basket_mail_max_size' => (1024*1024*2),
'sys_basket_mail_smpthost' => 'localhost',
'sys_basket_download_limit' => '0',
@@ -95,8 +100,6 @@
'sys_style_layout_title' => 'Linpha 2.0',
'sys_style_others_sortorder' => 'nameasc',
-
- 'sys_user_autologin' => '1',
);
$options_user_overrideable = Array(
Modified: trunk/linpha2/lib/include/sql/sql.mysql.php
===================================================================
--- trunk/linpha2/lib/include/sql/sql.mysql.php 2008-02-06 20:50:49 UTC (rev 4853)
+++ trunk/linpha2/lib/include/sql/sql.mysql.php 2008-02-06 23:25:59 UTC (rev 4854)
@@ -33,7 +33,7 @@
"CREATE TABLE ".$linpha_tables['users']." ( ".
"id INT NOT NULL AUTO_INCREMENT , " .
"username VARCHAR(255) NOT NULL default '' , " .
- "password VARCHAR(32) NOT NULL default '' , " .
+ "password VARCHAR(255) NOT NULL default '' , " .
"user_email VARCHAR(255) NOT NULL default '' , " .
"display_name VARCHAR(255) NOT NULL default '' , " .
"stats_downloads INT default '0', " .
Modified: trunk/linpha2/lib/include/sql/sql.oci8po.php
===================================================================
--- trunk/linpha2/lib/include/sql/sql.oci8po.php 2008-02-06 20:50:49 UTC (rev 4853)
+++ trunk/linpha2/lib/include/sql/sql.oci8po.php 2008-02-06 23:25:59 UTC (rev 4854)
@@ -32,7 +32,7 @@
"CREATE TABLE ".$linpha_tables['users']." ( ".
"id NUMBER PRIMARY KEY, " .
"username VARCHAR2(255) NOT NULL, " .
- "password VARCHAR2(32) NOT NULL, " .
+ "password VARCHAR2(255) NOT NULL, " .
"user_email VARCHAR2(255) NOT NULL, " .
"display_name VARCHAR2(255), " .
"stats_downloads NUMBER(10) DEFAULT '0', " .
Modified: trunk/linpha2/lib/include/sql/sql.postgres.php
===================================================================
--- trunk/linpha2/lib/include/sql/sql.postgres.php 2008-02-06 20:50:49 UTC (rev 4853)
+++ trunk/linpha2/lib/include/sql/sql.postgres.php 2008-02-06 23:25:59 UTC (rev 4854)
@@ -32,7 +32,7 @@
"CREATE TABLE ".$linpha_tables['users']." ( ".
"id SERIAL PRIMARY KEY, " .
"username VARCHAR(255) NOT NULL default '' , " .
- "password VARCHAR(32) NOT NULL default '' , " .
+ "password VARCHAR(255) NOT NULL default '' , " .
"user_email VARCHAR(255) NOT NULL default '' , " .
"display_name VARCHAR(255) NOT NULL default '' , " .
"stats_downloads INT NOT NULL default 0 , " .
Modified: trunk/linpha2/lib/include/sql/sql.sqlite.php
===================================================================
--- trunk/linpha2/lib/include/sql/sql.sqlite.php 2008-02-06 20:50:49 UTC (rev 4853)
+++ trunk/linpha2/lib/include/sql/sql.sqlite.php 2008-02-06 23:25:59 UTC (rev 4854)
@@ -32,7 +32,7 @@
"CREATE TABLE ".$linpha_tables['users']." ( ".
"id INTEGER PRIMARY KEY, " .
"username VARCHAR(255) NOT NULL default '' , " .
- "password VARCHAR(32) NOT NULL default '' , " .
+ "password VARCHAR(255) NOT NULL default '' , " .
"user_email VARCHAR(255) NOT NULL default '' , " .
"display_name VARCHAR(255) NOT NULL default '' , " .
"stats_downloads INTEGER NOT NULL default '0' , " .
Modified: trunk/linpha2/reset_database.php
===================================================================
--- trunk/linpha2/reset_database.php 2008-02-06 20:50:49 UTC (rev 4853)
+++ trunk/linpha2/reset_database.php 2008-02-06 23:25:59 UTC (rev 4854)
@@ -106,7 +106,7 @@
unset($error_nr);
}
- $GLOBALS['linpha']->db->Execute("INSERT into ".LIN_PREFIX."users (username, password) VALUES ('root','".md5('test')."')");
+ $GLOBALS['linpha']->db->Execute("INSERT into ".LIN_PREFIX."users (username, password) VALUES ('root','".$linpha->sql->getPWHash('test')."')");
$GLOBALS['linpha']->db->Execute("INSERT into ".LIN_PREFIX."user_group (user_id, group_id) VALUES ('1','1')");
Modified: trunk/linpha2/templates/default/fragments.php
===================================================================
--- trunk/linpha2/templates/default/fragments.php 2008-02-06 20:50:49 UTC (rev 4853)
+++ trunk/linpha2/templates/default/fragments.php 2008-02-06 23:25:59 UTC (rev 4854)
@@ -56,7 +56,7 @@
<br />
<label for="linFormUsername" style="display: block; float: left; width: 80px;"><?php echo i18n("Username"); ?>: </label><input style="width: 105px;" class="linForms" type="text" name="username" value="" id="linFormUsername" /><br />
<label for="linFormPassword" style="display: block; float: left; width: 80px;"><?php echo i18n("Password"); ?>: </label><input style="width: 105px;" class="linForms" type="password" name="password" value="" id="linFormPassword" /><br />
- <?php if($GLOBALS['linpha']->sql->config->value['sys_user_autologin']) { ?><input type="checkbox" name="rememberme" value="true" id="linFormCheckboxRemember" /><label for="linFormCheckboxRemember"><?php echo i18n("Remember Me"); ?></label><?php } ?>
+ <?php if($GLOBALS['linpha']->sql->config->value['sys_session_autologin']) { ?><input type="checkbox" name="rememberme" value="true" id="linFormCheckboxRemember" /><label for="linFormCheckboxRemember"><?php echo i18n("Remember Me"); ?></label><?php } ?>
<input type="hidden" name="cmd" value="login" />
<input type="submit" name="submit" class="linButton linInputMenu" value="<?php echo i18n("Login"); ?>" /><br /><br />
<div style="font-size: smaller; border: 0px;"><?php echo i18n("You must have cookies enabled to log in."); ?></div>
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
