[php-blog-cvs] serendipity serendipity_functions.inc.php,1.242,1.243

[Garvin H. <gar...@us...>]

Update of /cvsroot/php-blog/serendipity
In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv22278

Modified Files:
	serendipity_functions.inc.php 
Log Message:
IMPORTANT SECURITY FIX, PLEASE TEST!


When you installed more than one s9y on the same VirtualHost, any user
logged in into one s9y installation could access ALL s9y installations on
the same host.

This is because session-variables are set per-host, and the session is valid
for all installations in subdirectories (does not apply to multiple virtual
hosts of course).

What we do now is check the username and password of the user's session each
time he makes admin actions. If the username is invalid for a different s9y
installation, the session will be destroyed.

If you have the same username+password combo in multiple blogs, that will
still log you in into ALL blogs. In that case, that should be desired
behaviour.


Index: serendipity_functions.inc.php
===================================================================
RCS file: /cvsroot/php-blog/serendipity/serendipity_functions.inc.php,v
retrieving revision 1.242
retrieving revision 1.243
diff -u -d -r1.242 -r1.243
--- serendipity_functions.inc.php	27 Mar 2004 18:28:53 -0000	1.242
+++ serendipity_functions.inc.php	29 Mar 2004 07:52:04 -0000	1.243
@@ -2119,18 +2119,21 @@
     echo '    <script type="text/javascript" language="JavaScript" src="serendipity_editor.js"></script>';
 }
 
-function serendipity_authenticate_author($username = '', $password = '') {
+function serendipity_authenticate_author($username = '', $password = '', $is_md5 = false) {
     global $serendipity;
 
-    if (isset($_SESSION['serendipityUser']) && isset($_SESSION['serendipityEmail']) && isset($_SESSION['serendipityAuthorid']) && isset($_SESSION['serendipityAuthedUser']) && $_SESSION['serendipityAuthedUser'] == true) {
-        $serendipity['serendipityUser']  = $_SESSION['serendipityUser'];
-        $serendipity['serendipityEmail'] = $_SESSION['serendipityEmail'];
-        $serendipity['authorid']         = $_SESSION['serendipityAuthorid'];
-        return true;
+    if (isset($_SESSION['serendipityUser']) && isset($_SESSION['serendipityPassword']) && isset($_SESSION['serendipityEmail']) && isset($_SESSION['serendipityAuthorid']) && isset($_SESSION['serendipityAuthedUser']) && $_SESSION['serendipityAuthedUser'] == true) {
+        $serendipity['serendipityUser']     = $username = $_SESSION['serendipityUser'];
+        $serendipity['serendipityEmail']    = $_SESSION['serendipityEmail'];
+        $serendipity['authorid']            = $_SESSION['serendipityAuthorid'];
+        $serendipity['serendipityPassword'] = $password = $_SESSION['serendipityPassword'];
+        $is_md5 = true;
     }
 
     if ($username != '') {
-        $password = md5($password);
+        if ($is_md5 === false) {
+            $password = md5($password);
+        }
     
         $query = "SELECT DISTINCT
                     email, authorid
@@ -2143,10 +2146,14 @@
     
         if (is_array($row)) {
             $_SESSION['serendipityUser']        = $serendipity['serendipityUser']       = $username;
+            $_SESSION['serendipityPassword']    = $serendipity['serendipityPassword']   = $password;
             $_SESSION['serendipityEmail']       = $serendipity['serendipityEmail']      = $row['email'];
             $_SESSION['serendipityAuthorid']    = $serendipity['authorid']              = $row['authorid'];
             $_SESSION['serendipityAuthedUser']  = $serendipity['serendipityAuthedUser'] = true;
             return true;
+        } else {
+            $_SESSION['serendipityAuthedUser'] = false;
+            session_destroy();
         }
     }