From df4543d96d8b13dd770c34f7c84fdfa1786a4595 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Roland=20H=C3=A4der?= Date: Fri, 28 Mar 2008 19:09:27 +0000 Subject: [PATCH] Admin login fixes --- inc/functions.php | 9 ++++++--- inc/modules/admin.php | 7 ++++--- inc/modules/admin/admin-inc.php | 11 ++++++++--- 3 files changed, 18 insertions(+), 9 deletions(-) diff --git a/inc/functions.php b/inc/functions.php index 3cdabf7e3e..df26e508c0 100644 --- a/inc/functions.php +++ b/inc/functions.php @@ -1800,8 +1800,8 @@ function generateHash($plainText, $salt = "") { // Is the required extension "sql_patches" there? if ((GET_EXT_VERSION("sql_patches") < "0.3.6") || (GET_EXT_VERSION("sql_patches") == "")) { - // Extension sql_patches is missing/outdated so we return the plain text - return $plainText; + // Extension sql_patches is missing/outdated so we return only the regular SHA1 hash + return sha1($plainText); } // When the salt is empty build a new one, else use the first x configured characters as the salt @@ -2051,6 +2051,7 @@ function DISPLAY_PARSING_TIME_FOOTER() { // Unset/set session variables function set_session ($var, $value) { global $CSS; + // Abort in CSS mode here if ($CSS == 1) return true; @@ -2079,7 +2080,9 @@ function set_session ($var, $value) { // Taken from user comments in PHP documentation for function constant() function isBooleanConstantAndTrue($constname) { // : Boolean $res = false; - if (defined($constname)) $res = (constant($constname) === true); + if (defined($constname)) { + $res = (constant($constname) === true); + } return($res); } diff --git a/inc/modules/admin.php b/inc/modules/admin.php index c364ae283a..3598511473 100644 --- a/inc/modules/admin.php +++ b/inc/modules/admin.php @@ -67,7 +67,7 @@ if (!isBooleanConstantAndTrue('admin_registered')) { switch ($ret) { case "done": - admin_WriteData(PATH."inc/config.php", "ADMIN-SETUP", "define('admin_registered', ", ");", "true", 0); + admin_WriteData(PATH."inc/config.php", "ADMIN-SETUP", "define ('admin_registered', ", ");", "true", 0); if (!_FATAL) { // Registering is done LOAD_URL(URL."/modules.php?module=admin&action=login®ister=done"); @@ -91,7 +91,7 @@ if (!isBooleanConstantAndTrue('admin_registered')) { } if (!isBooleanConstantAndTrue('admin_registered')) { // Write to config that registration is done - admin_WriteData(PATH."inc/config.php", "ADMIN-SETUP", "define('admin_registered', ", ");", "true", 0); + admin_WriteData(PATH."inc/config.php", "ADMIN-SETUP", "define ('admin_registered', ", ");", "true", 0); // Load URL for login $URL = URL."/modules.php?module=admin&action=login"; @@ -161,6 +161,7 @@ if (!isBooleanConstantAndTrue('admin_registered')) { // Try to register the session variables if ((set_session("admin_md5", generatePassString(generateHash($_POST['pass'], __SALT)))) && (set_session("admin_login", $_POST['login'])) && (set_session("admin_last", time())) && (set_session("admin_to", $_POST['timeout']))) { // Construct URL and redirect + die("OK"); $URL = URL."/modules.php?module=admin&"; // Rewrite overview module @@ -276,7 +277,7 @@ if (!isBooleanConstantAndTrue('admin_registered')) { } } else { // Maybe an Admin want's to login? - $ret = CHECK_ADMIN_COOKIES(SQL_ESCAPE(get_session('admin_login')), SQL_ESCAPE(get_session('admin_md5'))); + $ret = CHECK_ADMIN_COOKIES('admin_login', 'admin_md5'); switch ($ret) { case "done": // Cookie-Data accepted diff --git a/inc/modules/admin/admin-inc.php b/inc/modules/admin/admin-inc.php index 6aba44b398..ae5db92b5b 100644 --- a/inc/modules/admin/admin-inc.php +++ b/inc/modules/admin/admin-inc.php @@ -129,6 +129,11 @@ function CHECK_ADMIN_LOGIN ($admin_login, $password) // Only be executed on cookie checking function CHECK_ADMIN_COOKIES ($admin_login, $password) { global $cacheArray, $_CONFIG; + + // Get login and password hash + $admin_login = SQL_ESCAPE(get_session($admin_login)); + $password = SQL_ESCAPE(get_session($password)); + $ret = "404"; $pass = ""; if (!empty($cacheArray['admins']['aid'][$admin_login])) { // Get password from cache @@ -199,17 +204,17 @@ function admin_WriteData ($file, $comment, $prefix, $suffix, $DATA, $seek=0) // Copy back tmp file and delete tmp :-) @copy($tmp, $file); @unlink($tmp); - define('_FATAL', false); + define ('_FATAL', false); } elseif (!$found) { OUTPUT_HTML("CHANGE: 404!"); - define('_FATAL', true); + define ('_FATAL', true); } else { OUTPUT_HTML("TMP: UNDONE!"); - define('_FATAL', true); + define ('_FATAL', true); } } } -- 2.39.5