Changeset:
4a980973586b
https://sourceforge.net/p/mrbs/hg-code/ci/4a980973586b1e7f6d476de8e55933d2dc6ed7c6
Author:
Campbell Morrison <[email protected]>
Date:
Wed Feb 22 12:04:12 2017 +0000
Log message:
Catered for the possibility of two users having the same password, with one
having as username the email address of the other.
diffstat:
web/auth/auth_auth_basic.inc | 8 +--
web/auth/auth_config.inc | 4 +-
web/auth/auth_crypt.inc | 7 ++-
web/auth/auth_db.inc | 83 +++++++++++++++++++++++++++++------------
web/auth/auth_db_ext.inc | 14 +++---
web/auth/auth_ext.inc | 4 +-
web/auth/auth_imap.inc | 4 +-
web/auth/auth_imap_php.inc | 14 ++++---
web/auth/auth_ldap.inc | 10 ++--
web/auth/auth_nis.inc | 4 +-
web/auth/auth_none.inc | 4 +-
web/auth/auth_nw.inc | 4 +-
web/auth/auth_pop3.inc | 6 +-
web/auth/auth_smtp.inc | 9 +---
web/auth/auth_wordpress.inc | 15 +++----
web/functions_logon.inc | 3 +-
web/session/session_cookie.inc | 9 +----
web/session/session_http.inc | 2 +-
web/session/session_php.inc | 22 +++--------
19 files changed, 122 insertions(+), 104 deletions(-)
diffs (truncated from 652 to 300 lines):
diff -r 04544967c996 -r 4a980973586b web/auth/auth_auth_basic.inc
--- a/web/auth/auth_auth_basic.inc Tue Feb 21 20:10:06 2017 +0000
+++ b/web/auth/auth_auth_basic.inc Wed Feb 22 12:04:12 2017 +0000
@@ -34,7 +34,7 @@
*
* Returns:
* false - The pair are invalid or do not exist
- * true - The pair are valid
+ * string - The validated username
*/
function authValidateUser($user, $pass)
{
@@ -64,14 +64,12 @@
$f->setMode($auth["auth_basic"]["mode"]);
$f->load();
- $ret = false;
-
if ($f->verifyPasswd($user, $pass) === true)
{
- $ret = true;
+ return $user;
}
- return $ret;
+ return false;
}
/* authGetUserLevel($user)
diff -r 04544967c996 -r 4a980973586b web/auth/auth_config.inc
--- a/web/auth/auth_config.inc Tue Feb 21 20:10:06 2017 +0000
+++ b/web/auth/auth_config.inc Wed Feb 22 12:04:12 2017 +0000
@@ -27,7 +27,7 @@
*
* Returns:
* false - The pair are invalid or do not exist
- * true - The pair are valid
+ * string - The validated username
*/
function authValidateUser($user, $pass)
{
@@ -46,7 +46,7 @@
($auth["user"][utf8_strtolower($user)] == $pass)
))
{
- return true; // User validated
+ return $user; // User validated
}
return false; // User unknown or password invalid
diff -r 04544967c996 -r 4a980973586b web/auth/auth_crypt.inc
--- a/web/auth/auth_crypt.inc Tue Feb 21 20:10:06 2017 +0000
+++ b/web/auth/auth_crypt.inc Wed Feb 22 12:04:12 2017 +0000
@@ -31,7 +31,7 @@
*
* Returns:
* false - The pair are invalid or do not exist
- * true - The pair are valid
+ * string - The validated username
*/
function authValidateUser($user, $pass)
{
@@ -48,12 +48,14 @@
error_log("auth_crypt: passwd file not specified");
return false;
}
+
$fh = fopen($auth["crypt"]["passwd_file"], "r");
if (!$fh)
{
error_log("auth_crypt: couldn't open passwd file\n");
return false;
}
+
$ret = false; // Default to failure
while ($line = fgets($fh))
{
@@ -61,10 +63,11 @@
{
if (crypt($pass, $matches[1]) == $matches[1])
{
- $ret = true; // Success!
+ $ret = $user; // Success!
}
}
}
+
fclose($fh);
return $ret;
}
diff -r 04544967c996 -r 4a980973586b web/auth/auth_db.inc
--- a/web/auth/auth_db.inc Tue Feb 21 20:10:06 2017 +0000
+++ b/web/auth/auth_db.inc Wed Feb 22 12:04:12 2017 +0000
@@ -33,7 +33,7 @@
break;
case 'email':
// For the moment we will assume that email addresses are case
insensitive. Whilst it is true
- // on most systems, it isn't always true. The domain part is case
insensitive but the local part can
+ // on most systems, it isn't always true. The domain is case
insensitive but the local-part can
// be case sensitive. But before we can take account of this, the
email addresses in the database
// need to be normalised so that all the domain names are stored in
lower case. Then it will be possible
// to do a case sensitive comparison.
@@ -117,11 +117,45 @@
*
* Returns:
* false - The pair are invalid or do not exist
- * true - The pair are valid
+ * string - The validated username
*/
function authValidateUser($user, $pass)
{
global $tbl_users;
+
+ // The string $user that the user logged on with could be either a username
or
+ // an email address, or even possibly just the local part of an email
address.
+ // So it's just possible that there is more than one user with this password
and
+ // username | email address | local-part. If we get more than one, then
we don't
+ // know which user it is, so we return false.
+ $valid_usernames = array();
+
+ if (($valid_username = authValidateUsername($user, $pass)) !== false)
+ {
+ $valid_usernames[] = $valid_username;
+ }
+
+ $valid_usernames = array_merge($valid_usernames, authValidateEmail($user,
$pass));
+ $valid_usernames = array_unique($valid_usernames);
+
+ return (count($valid_usernames) == 1) ? $valid_usernames[0] : false;
+}
+
+
+/* authValidateUsername($user, $pass)
+ *
+ * Checks if the specified username/password pair are valid
+ *
+ * $user - The user name
+ * $pass - The password
+ *
+ * Returns:
+ * false - The pair are invalid or do not exist
+ * string - The validated username
+ */
+function authValidateUsername($user, $pass)
+{
+ global $tbl_users;
$sql_params = array();
@@ -129,6 +163,8 @@
// permits trailing spacings, eg 'john' = 'john '. We could use LIKE, but
that then
// permits wildcards, so we could use a comnination of LIKE and '=' but
that's a bit
// messy. WE could use STRCMP, but that's MySQL only.
+
+ // Usernames are unique in the users table, so we only look for one.
$sql = "SELECT password_hash
FROM $tbl_users
WHERE " .
@@ -146,7 +182,7 @@
return false;
}
- return checkPassword($pass, $row['password_hash'], 'name', $user);
+ return (checkPassword($pass, $row['password_hash'], 'name', $user)) ? $user
: false;
}
@@ -158,20 +194,23 @@
* $pass - The password
*
* Returns:
- * false - The pair are invalid or do not exist
- * username - The pair are valid
+ * array - An array of valid usernames, empty if none found
*/
function authValidateEmail($email, $pass)
{
global $tbl_users;
-
+
+ $valid_usernames = array();
+
$sql_params = array($email);
// For the moment we will assume that email addresses are case insensitive.
Whilst it is true
- // on most systems, it isn't always true. The domain part is case
insensitive but the local part can
+ // on most systems, it isn't always true. The domain is case insensitive
but the local-part can
// be case sensitive. But before we can take account of this, the email
addresses in the database
- // need to be normalised so that all the domain names are stored in lower
case. Then it will be possible
- // to do a case sensitive comparison.
+ // need to be normalised so that all the domain names are stored in lower
case. Then it will be
+ // possible to do a case sensitive comparison.
+ //
+ // Email addresses are not unique in the users table, so we need to find all
of them.
$sql = "SELECT password_hash, name
FROM $tbl_users
WHERE LOWER(email)=LOWER(?)";
@@ -180,28 +219,24 @@
$rows = $res->all_rows_keyed();
- if (empty($rows))
- {
- return false;
- }
-
- // Check all the users that have this email address and password hash. If
there are more
- // than one then we don't know which user to login, so return false.
- $possible_names = array();
+ // Check all the users that have this email address and password hash.
foreach($rows as $row)
{
if (checkPassword($pass, $row['password_hash'], 'email', $email))
{
- $possible_names[] = $row['name'];
+ $valid_usernames[] = $row['name'];
}
}
+
+ return $valid_usernames;
+}
- if (count($possible_names) == 1)
- {
- return $possible_names[0];
- }
-
- return false;
+
+// Checks whether validation of a user by email address is possible
+// and allowed.
+function canValidateByEmail()
+{
+ return true;
}
diff -r 04544967c996 -r 4a980973586b web/auth/auth_db_ext.inc
--- a/web/auth/auth_db_ext.inc Tue Feb 21 20:10:06 2017 +0000
+++ b/web/auth/auth_db_ext.inc Wed Feb 22 12:04:12 2017 +0000
@@ -44,7 +44,7 @@
*
* Returns:
* false - The pair are invalid or do not exist
- * true - The pair are valid
+ * string - The validated username
*/
function authValidateUser($user, $pass)
{
@@ -75,21 +75,21 @@
case 'md5':
if (md5($pass) == $row[0])
{
- $retval = true;
+ $retval = $user;
}
break;
case 'sha1':
if (sha1($pass) == $row[0])
{
- $retval = true;
+ $retval = $user;
}
break;
case 'sha256':
if (hash('sha256', $pass) == $row[0])
{
- $retval = true;
+ $retval = $user;
}
break;
@@ -97,14 +97,14 @@
$recrypt = crypt($pass,$row[0]);
if ($row[0] == $recrypt)
{
- $retval = true;
+ $retval = $user;
}
break;
case 'password_hash':
if (password_verify($pass, $row[0]))
{
- $retval = true;
+ $retval = $user;
}
break;
@@ -119,7 +119,7 @@
if ($pass == $row[0])
{
- $retval = true;
+ $retval = $user;
}
break;
}
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Mrbs-commits mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/mrbs-commits
