Commit: ada579ee367df7a85adc5b1d8ebdf4c3a98ce31c
Author: Hannes Magnusson <bj...@mongodb.com> Tue, 10 Dec 2013
20:33:34 -0800
Parents: 84cf6a833169a943760f494ed55a577ee1293532
Branches: master
Link:
http://git.php.net/?p=web/master.git;a=commitdiff;h=ada579ee367df7a85adc5b1d8ebdf4c3a98ce31c
Log:
Kill md5 and CVS fallbacks..
People that have never logged in since the move to SVN
Are effectively blocked out by this change and they'll have to reset their
passwords.
Changed paths:
M entry/svn-account.php
M fetch/cvsauth.php
M forgot.php
M include/cvs-auth.inc
M include/login.inc
M manage/challenge-response.php
M manage/users.php
diff --git a/entry/svn-account.php b/entry/svn-account.php
index 91f3fce..3ae90e5 100644
--- a/entry/svn-account.php
+++ b/entry/svn-account.php
@@ -69,17 +69,12 @@ $res = @mysql_query("SELECT userid FROM users WHERE
username='$username'");
if ($res && mysql_num_rows($res))
die("someone is already using that svn id");
-# TODO: fail if someone with that email address has an account. right now
-# this goes to the failto address since there's no password recovery
-# mechanism
$passwd = strip($passwd);
-$cvspasswd = crypt($passwd, substr(md5($ts), 0, 2));
-$md5passwd = md5($passwd);
$svnpasswd = gen_svn_pass($username, $passwd);
$note = hsc($note);
-$query = "INSERT INTO users (name,email,passwd,svnpasswd,md5passwd,username)
VALUES ";
-$query .=
"('$name','$email','$cvspasswd','$svnpasswd','$md5passwd','$username')";
+$query = "INSERT INTO users (name,email,svnpasswd,username) VALUES ";
+$query .= "('$name','$email','$svnpasswd','$username')";
//echo "<!--$query-->\n";
if (@mysql_query($query)) {
@@ -108,7 +103,6 @@ if (@mysql_query($query)) {
"Full name: $name\n".
"Email: $email\n".
"ID: $username\n".
- "Password: $cvspasswd\n".
"Purpose: $note",
"From: \"VCS Account Request\" <$email>");
}
diff --git a/fetch/cvsauth.php b/fetch/cvsauth.php
index c6911ec..8860bb0 100644
--- a/fetch/cvsauth.php
+++ b/fetch/cvsauth.php
@@ -80,12 +80,7 @@ if (!isset($_REQUEST['token']) || md5($_REQUEST['token']) !=
"73864a7c89d97a1336
exit_forbidden(E_UNKNOWN);
}
-$pass = find_password($username);
-if (strlen($pass) < 1) {
- exit_forbidden(E_USERNAME);
-}
-
-if (!verify_login($pass, $password)) {
+if (!verify_password($username, $password)) {
exit_forbidden(E_PASSWORD);
}
diff --git a/forgot.php b/forgot.php
index 5629bd0..d2e4291 100644
--- a/forgot.php
+++ b/forgot.php
@@ -1,5 +1,5 @@
<?php // vim: et ts=2 sw=2
-require 'functions.inc';
+require dirname(__FILE__) . '/include/functions.inc';
require dirname(__FILE__) . "/include/cvs-auth.inc";
$valid_vars = array('id','user','key','n1','n2');
@@ -7,6 +7,8 @@ foreach($valid_vars as $k) {
$$k = isset($_REQUEST[$k]) ? $_REQUEST[$k] : false;
}
+$ts = $_SERVER["REQUEST_TIME"];
+
function random_password() {
$alphanum = array_merge(range("a","z"),range("A","Z"),range(0,9));
@@ -34,10 +36,8 @@ if ($id && $key) {
if ($n1 && $n2) {
if ($n1 == $n2) {
$sn1 = strip($n1);
- $passwd = mysql_real_escape_string(crypt($n1, substr(md5($ts), 0, 2)));
$svnpasswd = gen_svn_pass(username_from_forgotten($key, $id), $sn1);
- $md5passwd = md5($sn1);
- $res = @mysql_query("UPDATE users SET
forgot=NULL,passwd='$passwd',svnpasswd='$svnpasswd',md5passwd='$md5passwd'
WHERE userid='$id' AND forgot='$key'");
+ $res = @mysql_query("UPDATE users SET
forgot=NULL,svnpasswd='$svnpasswd',pchanged=$ts WHERE userid='$id' AND
forgot='$key'");
if ($res && mysql_affected_rows()) {
echo '<p>Okay, your password has been changed. It could take as long
as an hour before this change makes it to the VCS server and other services. To
change your password again, you\'ll have to start this process over to get a
new key.</p>';
foot();
diff --git a/include/cvs-auth.inc b/include/cvs-auth.inc
index e979140..a8a0ee0 100644
--- a/include/cvs-auth.inc
+++ b/include/cvs-auth.inc
@@ -1,9 +1,6 @@
<?php // vim: et ts=4 sw=4
/* $Id$ */
-define("LOGIN_IGNORE_PWD", FALSE);
-define("LOGIN_PWD_FILE", "/repository/CVSROOT/passwd");
-require dirname(__FILE__) . "/cvs-auth.inc";
define("REALM", "PHP Subversion Repository");
@@ -11,61 +8,20 @@ function gen_svn_pass($username, $password) {
return md5(sprintf("%s:%s:%s", $username, REALM, $password));
}
-function find_password($user)
+function verify_password($user, $pass)
{
- @mysql_connect("localhost","nobody","")
+ mysql_connect("localhost","nobody","")
or die("unable to connect to database");
- @mysql_select_db("phpmasterdb");
+ mysql_select_db("phpmasterdb");
$username = escape($user);
- $res = @mysql_query("SELECT passwd FROM users WHERE passwd != '' AND
cvsaccess AND username = '$username'");
+ $res = mysql_query("SELECT svnpasswd FROM users WHERE cvsaccess AND
username = '$username'");
- // Nonexisting?..
if ($res && mysql_num_rows($res) == 1) {
- $row = @mysql_fetch_array($res);
- return $row["passwd"];
- }
-
- return "";
-}
-
-function verify_password($user, $pass)
-{
- if (!LOGIN_IGNORE_PWD) {
- @mysql_connect("localhost","nobody","")
- or die("unable to connect to database");
- @mysql_select_db("phpmasterdb");
-
- $username = escape($user);
- $res = @mysql_query("SELECT md5passwd FROM users WHERE svnpasswd != ''
AND md5passwd != '' AND cvsaccess AND username = '$username'");
-
- // There is a good chance that md5passwd is empty
- if ($res && mysql_num_rows($res) == 1) {
- $row = @mysql_fetch_array($res);
- return md5($pass) == $row["md5passwd"];
- }
+ $row = mysql_fetch_array($res);
+ return gen_svn_pass($username, $pass) == $row["svnpasswd"];
}
- if (verify_login(find_password($user), $pass)) {
- if (!LOGIN_IGNORE_PWD) {
- // Update the password to enable svn access
- $svnpasswd = gen_svn_pass($user, $pass);
- $md5passwd = md5($pass);
- $query = "UPDATE users SET svnpasswd='$svnpasswd',
md5passwd='$md5passwd' WHERE username='$username'";
- mysql_query($query);
- }
- return TRUE;
- }
- return FALSE;
-}
-
-function verify_login($psw, $pass)
-{
- if (strlen($psw) > 0) {
- if (LOGIN_IGNORE_PWD || crypt($pass, substr($psw, 0, 2)) == $psw) {
- return TRUE;
- }
- }
- return FALSE;
+ return false;
}
diff --git a/include/login.inc b/include/login.inc
index 6e0d26b..50df400 100644
--- a/include/login.inc
+++ b/include/login.inc
@@ -1,4 +1,17 @@
<?php
+/* Force https */
+/*
+if (!isset($_SERVER["HTTPS"]) || $_SERVER["HTTPS"] != "on") {
+ $name = basename($_SERVER["SCRIPT_NAME"]);
+ if ($name === 'login.php') {
+ header("Location: https://master.php.net/"; . $name);
+ } else {
+ header("Location: https://master.php.net/manage/"; . $name);
+ }
+ exit;
+}
+ */
+
session_start();
/* $Id$ */
@@ -19,16 +32,6 @@ if (!$cuser || !$cpw || !verify_password($cuser,$cpw)) {
$_SESSION["credentials"] = array();
session_destroy();
- if (!isset($_SERVER["HTTPS"]) || $_SERVER["HTTPS"] != "on") {
- $name = basename($_SERVER["SCRIPT_NAME"]);
- if ($name === 'login.php') {
- header("Location: https://master.php.net/"; . $name);
- } else {
- header("Location: https://master.php.net/manage/"; . $name);
- }
- exit;
- }
-
// IS_DEV was 1 or 0 until 22 Feb 2012. It's now a @php.net username hint.
$cuser = '';
if (isset($_COOKIE['IS_DEV']) && !is_numeric($_COOKIE['IS_DEV'])) {
@@ -56,6 +59,10 @@ if (!$cuser || !$cpw || !verify_password($cuser,$cpw)) {
<tr>
<th align="right">Password:</th>
<td><input type="password" name="pw" value="<?php echo clean($cpw);?>" />
+<?php if ($cpw): ?>
+ <a href="/forgot.php" /> Forgot your password?</a>
+<?php endif ?>
+ </td>
</tr>
<tr>
<td align="center" colspan="2"><input type="submit" value="Login" /></td>
@@ -69,13 +76,6 @@ if (!$cuser || !$cpw || !verify_password($cuser,$cpw)) {
}
// At this point, we have logged in successfully
-if (!isset($_SERVER["HTTPS"]) || $_SERVER["HTTPS"] != "on") {
- /*
- echo '<meta http-equiv="refresh"
content="2;https://'.$_SERVER['HTTP_HOST'].$_SERVER['PHP_SELF'].'">'.PHP_EOL;
- exit('Bad puppy. Use <a
href="https://'.$_SERVER['HTTP_HOST'].'/'.$_SERVER['PHP_SELF'].'">HTTPS</a>.');
- */
-}
-
$_SESSION["credentials"] = array($cuser, $cpw);
$_SESSION["username"] = $cuser;
diff --git a/manage/challenge-response.php b/manage/challenge-response.php
index ba0e8bb..b8ce0d4 100644
--- a/manage/challenge-response.php
+++ b/manage/challenge-response.php
@@ -9,9 +9,9 @@ require_once 'email-validation.inc';
head("challenge response anti-spam thingamy");
-@mysql_connect("localhost","nobody","")
+mysql_connect("localhost","nobody","")
or die("unable to connect to database");
-@mysql_select_db("phpmasterdb")
+mysql_select_db("phpmasterdb")
or die("unable to select database");
if (isset($_POST['confirm_them']) && isset($_POST['confirm']) &&
is_array($_POST['confirm'])) {
diff --git a/manage/users.php b/manage/users.php
index e0e9a3b..6dbb6ea 100644
--- a/manage/users.php
+++ b/manage/users.php
@@ -160,10 +160,8 @@ if ($id && $in) {
}
else {
if (!empty($in['rawpasswd'])) {
- // need to get rid of these
- $in['passwd'] = crypt($in['rawpasswd'],substr(md5($ts),0,2));
- $in['svnpasswd'] = gen_svn_pass($user, $in['rawpasswd']);
- $in['md5passwd'] = md5($in['rawpasswd']);
+ $userinfo = fetch_user($id);
+ $in['svnpasswd'] = gen_svn_pass($userinfo["username"],
$in['rawpasswd']);
}
$cvsaccess = empty($in['cvsaccess']) ? 0 : 1;
@@ -177,9 +175,7 @@ if ($id && $in) {
# update main table data
if (!empty($in['email']) && !empty($in['name'])) {
$query = "UPDATE users SET name='$in[name]',email='$in[email]'"
- . (!empty($in['passwd']) ? ",passwd='$in[passwd]'" : "")
. (!empty($in['svnpasswd']) ? ",svnpasswd='$in[svnpasswd]'" :
"")
- . (!empty($in['md5passwd']) ? ",md5passwd='$in[md5passwd]'" :
"")
. (!empty($in['sshkey']) ?
",ssh_keys='".escape(html_entity_decode($in[sshkey],ENT_QUOTES))."'" :
",ssh_keys=''")
. ((is_admin($_SESSION["username"]) &&
!empty($in['username'])) ? ",username='$in[username]'" : "")
. (is_admin($_SESSION["username"]) ? ",cvsaccess=$cvsaccess"
: "")
@@ -188,7 +184,7 @@ if ($id && $in) {
. ",enable=$enable"
. ",use_sa=$use_sa"
. ",greylist=$greylist"
- . (!empty($in['passwd']) ? ",pchanged=" . $ts : "")
+ . (!empty($in['rawpasswd']) ? ",pchanged=" . $ts : "")
. " WHERE userid=$id";
if (!empty($in['passwd'])) {
// Kill the session data after updates :)
@@ -218,24 +214,6 @@ if ($id && $in) {
warn("record $id updated");
$id = false;
}
- else {
- $query = "INSERT users SET name='$in[name]',email='$in[email]'"
- . (!empty($in['username']) ? ",username='$in[username]'" : "")
- . (!empty($in['passwd']) ? ",passwd='$in[passwd]'" : "")
- . (!empty($in['svnpasswd']) ? ",svnpasswd='$in[svnpasswd]'" :
"")
- . (!empty($in['md5passwd']) ? ",md5passwd='$in[md5passwd]'" :
"")
- . (!empty($in['sshkey']) ?
",ssh_keys='".escape(html_entity_decode($in[sshkey],ENT_QUOTES))."'" : "")
- . (is_admin($user) ? ",cvsaccess=$cvsaccess" : "")
- . ",spamprotect=$spamprotect"
- . ",use_sa=$use_sa"
- . ",greylist=$greylist"
- . ",verified=$verified";
- db_query($query);
-
- $nid = mysql_insert_id();
-
- warn("record $nid added");
- }
}
}
}--
PHP Webmaster List Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
