From dea8e9bedeb3657454acd3f8ebb48c75dbe1bc2d Mon Sep 17 00:00:00 2001 From: =?utf8?q?Roland=20H=C3=A4der?= Date: Fri, 16 May 2008 21:58:47 +0000 Subject: [PATCH] Writing of .htaccess no longer needed --- inc/extensions/ext-sql_patches.php | 9 +- inc/gen_sql_patches.php | 142 +++++++++++++--------------- inc/modules/admin/action-logout.php | 11 +-- inc/modules/admin/admin-inc.php | 2 +- 4 files changed, 72 insertions(+), 92 deletions(-) diff --git a/inc/extensions/ext-sql_patches.php b/inc/extensions/ext-sql_patches.php index 08c7bf96d9..3cb088c025 100644 --- a/inc/extensions/ext-sql_patches.php +++ b/inc/extensions/ext-sql_patches.php @@ -32,8 +32,7 @@ ************************************************************************/ // Some security stuff... -if ((ereg(basename(__FILE__), $_SERVER['PHP_SELF']))) -{ +if ((ereg(basename(__FILE__), $_SERVER['PHP_SELF']))) { $INC = substr(dirname(__FILE__), 0, strpos(dirname(__FILE__), "/inc") + 4) . "/security.php"; require($INC); } @@ -568,13 +567,11 @@ default: // Do stuff when extension is loaded $_CONFIG['show_timings'] = $dummy['show_timings']; // Read key from secret file - if ((empty($_CONFIG['file_hash'])) || (empty($_CONFIG['master_salt'])) || (empty($_CONFIG['pass_scramble']))) - { + if ((empty($_CONFIG['file_hash'])) || (empty($_CONFIG['master_salt'])) || (empty($_CONFIG['pass_scramble']))) { // Maybe need setup of secret key! require_once(PATH."inc/gen_sql_patches.php"); - if (GET_EXT_VERSION("cache") >= "0.1.2") - { + if (GET_EXT_VERSION("cache") >= "0.1.2") { // Remove extensions and mod_reg cache file require_once(PATH."inc/libs/cache_functions.php"); require_once(PATH."inc/extensions/ext-cache.php"); diff --git a/inc/gen_sql_patches.php b/inc/gen_sql_patches.php index 2e59c8da53..61eebc187f 100644 --- a/inc/gen_sql_patches.php +++ b/inc/gen_sql_patches.php @@ -32,94 +32,82 @@ ************************************************************************/ // Some security stuff... -if (ereg(basename(__FILE__), $_SERVER['PHP_SELF'])) -{ - $INC = substr(dirname(__FILE__), 0, strpos(dirname(__FILE__), "/inc") + 4) . "/security.php"; - require($INC); +if (ereg(basename(__FILE__), $_SERVER['PHP_SELF'])) { + $INC = substr(dirname(__FILE__), 0, strpos(dirname(__FILE__), "/inc") + 4) . "/security.php"; + require($INC); } // Check for version of sql_patches if (GET_EXT_VERSION("sql_patches") < "0.3.6") return false; // Check if there is no scrambling string -if (empty($_CONFIG['pass_scramble'])) -{ - // Generate 40 chars long scramble string - $scrambleString = genScrambleString(40); - - // ... and store it there for future usage - $result = SQL_QUERY_ESC("UPDATE "._MYSQL_PREFIX."_config SET pass_scramble='%s' WHERE config=0 LIMIT 1", - array($scrambleString), __FILE__, __LINE__); - - // Also remember it in config - $_CONFIG['pass_scramble'] = $scrambleString; - unset($scrambleString); +if (empty($_CONFIG['pass_scramble'])) { + // Generate 40 chars long scramble string + $scrambleString = genScrambleString(40); + + // ... and store it there for future usage + $result = SQL_QUERY_ESC("UPDATE "._MYSQL_PREFIX."_config SET pass_scramble='%s' WHERE config=0 LIMIT 1", + array($scrambleString), __FILE__, __LINE__); + + // Also remember it in config + $_CONFIG['pass_scramble'] = $scrambleString; + unset($scrambleString); } // Check if there is no master salt string -if (empty($_CONFIG['master_salt'])) -{ - // Generate the master salt which is the first chars minus 40 chars of this random hash - // We do an extra scrambling here... - $masterSalt = scrambleString(substr(generateHash(GEN_PASS(rand(128, 256))), 0, -40)); - - // ... and store it there for future usage - $result = SQL_QUERY_ESC("UPDATE "._MYSQL_PREFIX."_config SET master_salt='%s' WHERE config=0 LIMIT 1", - array($masterSalt), __FILE__, __LINE__); - - // Also remember it in config - $_CONFIG['master_salt'] = $masterSalt; - unset($masterSalt); +if (empty($_CONFIG['master_salt'])) { + // Generate the master salt which is the first chars minus 40 chars of this random hash + // We do an extra scrambling here... + $masterSalt = scrambleString(substr(generateHash(GEN_PASS(rand(128, 256))), 0, -40)); + + // ... and store it there for future usage + $result = SQL_QUERY_ESC("UPDATE "._MYSQL_PREFIX."_config SET master_salt='%s' WHERE config=0 LIMIT 1", + array($masterSalt), __FILE__, __LINE__); + + // Also remember it in config + $_CONFIG['master_salt'] = $masterSalt; + unset($masterSalt); } -if (empty($_CONFIG['file_hash'])) -{ - // Create filename from hashed random string - $file_hash = generateHash(GEN_PASS(rand(128, 256))); - $file = PATH."inc/.secret/.".$file_hash; - - // File hash was never created - $fp = @fopen($file, 'w') or mxchange_die("Cannot write secret key file!"); - if ($fp != false) - { - // Could write to secret file! So let's generate the secret key... - // 1. Count of chars to be taken from back of the string - $nums = rand(40, 45); - // 2. Generate secret key from a randomized string - $secretKey = substr(generateHash(GEN_PASS(rand(128, 256))), -$nums); - // 3. Write the key to the file - fwrite($fp, $secretKey); - // 4. Close file - fclose($fp); - - // Change access rights for more security - @chmod($file, 0644); - - //* DEBUG: */ unlink($file); - //* DEBUG: */ $test = hexdec(get_session('u_hash')) / hexdec($secretKey); - //* DEBUG: */ $test = generateHash(str_replace('.', "", $test)); - //* DEBUG: */ die("Secret-Key: ".$secretKey."
Cookie: ".get_session('u_hash')."
Test: ".$test); - - // Write $file_hash to database - $result = SQL_QUERY_ESC("UPDATE "._MYSQL_PREFIX."_config SET file_hash='%s' WHERE config=0 LIMIT 1", - array($file_hash), __FILE__, __LINE__); - - // Also create .htaccess file - $fp = @fopen(PATH."inc/.secret/.htaccess", 'w') or mxchange_die("Cannot write to .htaccess file!"); - if ($fp != false) - { - // Add deny line to file - fwrite($fp, "Deny from all"); - - // Close the file - fclose($fp); - } - - // Also update configuration - $_CONFIG['secret_key'] = $secretKey; unset($secretKey); - $_CONFIG['file_hash'] = $file_hash; unset($file_hash); - } +if (empty($_CONFIG['file_hash'])) { + // Create filename from hashed random string + $file_hash = generateHash(GEN_PASS(rand(128, 256))); + $file = PATH."inc/.secret/.".$file_hash; + + // File hash was never created + $fp = @fopen($file, 'w') or mxchange_die("Cannot write secret key file!"); + if ($fp != false) { + // Could write to secret file! So let's generate the secret key... + // 1. Count of chars to be taken from back of the string + $nums = rand(40, 45); + // 2. Generate secret key from a randomized string + $secretKey = substr(generateHash(GEN_PASS(rand(128, 256))), -$nums); + // 3. Write the key to the file + fwrite($fp, $secretKey); + // 4. Close file + fclose($fp); + + // Change access rights for more security + @chmod($file, 0644); + + //* DEBUG: */ unlink($file); + //* DEBUG: */ $test = hexdec(get_session('u_hash')) / hexdec($secretKey); + //* DEBUG: */ $test = generateHash(str_replace('.', "", $test)); + //* DEBUG: */ die("Secret-Key: ".$secretKey."
Cookie: ".get_session('u_hash')."
Test: ".$test); + + // Write $file_hash to database + $result = SQL_QUERY_ESC("UPDATE "._MYSQL_PREFIX."_config SET file_hash='%s' WHERE config=0 LIMIT 1", + array($file_hash), __FILE__, __LINE__); + + // Also update configuration + $_CONFIG['secret_key'] = $secretKey; + $_CONFIG['file_hash'] = $file_hash; + + // And remove some variables + unset($secretKey); + unset($file_hash); + } } // -?> \ No newline at end of file +?> diff --git a/inc/modules/admin/action-logout.php b/inc/modules/admin/action-logout.php index c10b309168..56272aba32 100644 --- a/inc/modules/admin/action-logout.php +++ b/inc/modules/admin/action-logout.php @@ -42,18 +42,13 @@ if ((ereg(basename(__FILE__), $_SERVER['PHP_SELF'])) || (!IS_ADMIN())) ADD_DESCR("admin", basename(__FILE__)); OUTPUT_HTML("

"); -if (!empty($_POST['no'])) -{ +if (!empty($_POST['no'])) { // Do not logout now LOAD_URL("modules.php?module=admin"); -} - elseif ((!empty($_POST['yes'])) && ($GLOBALS['action'] == "logout")) -{ +} elseif ((!empty($_POST['yes'])) && ($GLOBALS['action'] == "logout")) { // Redirect to logout link LOAD_URL("modules.php?module=admin&logout=1"); -} - else -{ +} else { // Load logout form template LOAD_TEMPLATE("admin_logout_form"); } diff --git a/inc/modules/admin/admin-inc.php b/inc/modules/admin/admin-inc.php index 8f4623b052..ed245b5394 100644 --- a/inc/modules/admin/admin-inc.php +++ b/inc/modules/admin/admin-inc.php @@ -140,7 +140,7 @@ function CHECK_ADMIN_COOKIES ($admin_login, $password) { SQL_FREERESULT($result); } - //* DEBUG: */ echo __FUNCTION__.":".$pass."/".$password."
"; + //* DEBUG: */ echo __FUNCTION__.":".$pass."(".strlen($pass).")/".$password."(".strlen($password).")
\n"; // Check if password matches if (($ret == "pass") && ((generatePassString($pass) == $password) || ($pass == $password) || ((strlen($pass) == 32) && (md5($password) == $pass)))) { -- 2.39.5