|
From: nathan h. <nh...@us...> - 2002-02-08 21:50:15
|
Update of /cvsroot/phpslash/phpslash-ft/class
In directory usw-pr-cvs1:/tmp/cvs-serv24941/class
Modified Files:
slashAuth.class slashAuthCR.class
Log Message:
make slashAuth*.class safe with register_globals
Index: slashAuth.class
===================================================================
RCS file: /cvsroot/phpslash/phpslash-ft/class/slashAuth.class,v
retrieving revision 1.4
retrieving revision 1.5
diff -C2 -d -r1.4 -r1.5
*** slashAuth.class 3 Feb 2002 02:49:40 -0000 1.4
--- slashAuth.class 8 Feb 2002 21:50:10 -0000 1.5
***************
*** 68,72 ****
function auth_validatelogin() {
! global $username,$password;
# the login form will save the username
--- 68,75 ----
function auth_validatelogin() {
! global $HTTP_POST_VARS;
!
! $username = $HTTP_POST_VARS['username'];
! $password = $HTTP_POST_VARS['password'];
# the login form will save the username
Index: slashAuthCR.class
===================================================================
RCS file: /cvsroot/phpslash/phpslash-ft/class/slashAuthCR.class,v
retrieving revision 1.3
retrieving revision 1.4
diff -C2 -d -r1.3 -r1.4
*** slashAuthCR.class 3 Feb 2002 02:49:40 -0000 1.3
--- slashAuthCR.class 8 Feb 2002 21:50:10 -0000 1.4
***************
*** 59,75 ****
function auth_validatelogin() {
! global $username,$password, $challenge, $response;
# the login form will save the username
if(isset($username)) {
$this->auth["uname"] = $username;
! } else if ($this->nobody){ ## provides for "default login cancel"
! $uid = $this->auth["uid"] = "nobody";
! return $uid;
}
! if ($username == "" ||
! strstr($username,"'")){ // spit out empty login form
! $this->auth["error"] = "Your username is invalid.<br>Please try again.";
return false;
}
--- 59,80 ----
function auth_validatelogin() {
! global $HTTP_POST_VARS;
!
! $username = $HTTP_POST_VARS['username'];
! $password = $HTTP_POST_VARS['password'];
! $challenge = $HTTP_POST_VARS['challenge'];
! $response = $HTTP_POST_VARS['response'];
# the login form will save the username
if(isset($username)) {
$this->auth["uname"] = $username;
! } else if ($this->nobody) { ## provides for "default login cancel"
! $uid = $this->auth["uid"] = "nobody";
! return $uid;
}
! if ($username == "" || strstr($username,"'")) {
! // spit out empty login form
! $this->auth["error"] = "Either your username or password are invalid.<br>Please try again.";
return false;
}
***************
*** 92,99 ****
$this->auth["uid"] = $this->db->Record["author_id"];
$this->auth["uname"] = $this->db->Record["author_name"];
! $md5_pw = $this->db->Record[password]; // this is the raw MD5ed user/pass combo
$expected_response = md5("$md5_pw:$challenge");
!
! ## True when JS is disabled
if ($response == "") {
$md5_pw_net = md5("$username:$password");
--- 97,105 ----
$this->auth["uid"] = $this->db->Record["author_id"];
$this->auth["uname"] = $this->db->Record["author_name"];
!
! $md5_pw = $this->db->Record['password']; // this is the raw MD5ed user/pass combo
$expected_response = md5("$md5_pw:$challenge");
!
! // True when JS is disabled
if ($response == "") {
$md5_pw_net = md5("$username:$password");
***************
*** 101,108 ****
}
! ## drop password for safety
$password='';
! ## Response is set, JS might be enabled...
if ($expected_response != $response) {
$this->auth["error"] = "Either your username or password are invalid.<br>Please try again.";
--- 107,115 ----
}
! // Drop password for safety
$password='';
+ $HTTP_POST_VARS['password'] = '';
! // Response is set, JS might be enabled...
if ($expected_response != $response) {
$this->auth["error"] = "Either your username or password are invalid.<br>Please try again.";
***************
*** 116,120 ****
}
$this->auth["error"] = "Either your username or password are invalid.<br>Please try again.";
! return $uid;
}
--- 123,128 ----
}
$this->auth["error"] = "Either your username or password are invalid.<br>Please try again.";
! return $uid;
! // TODO: If we're returning an error, shouldn't we also return 'false'?
}
|
