[geeklog-cvs] Geeklog-1.x/public_html/admin auth.inc.php, 1.36, 1.37

Dirk Haun dhaun at qs1489.pair.com
Sun Mar 9 12:21:20 EDT 2008 

Update of /cvsroot/geeklog/Geeklog-1.x/public_html/admin
In directory qs1489.pair.com:/tmp/cvs-serv11798

Modified Files:
	auth.inc.php 
Log Message:
Check if local login is enabled before attempting to authenticate user; added missing login speedlimit


Index: auth.inc.php
===================================================================
RCS file: /cvsroot/geeklog/Geeklog-1.x/public_html/admin/auth.inc.php,v
retrieving revision 1.36
retrieving revision 1.37
diff -C2 -d -r1.36 -r1.37
*** auth.inc.php	17 Feb 2008 18:32:35 -0000	1.36
--- auth.inc.php	9 Mar 2008 16:21:18 -0000	1.37
***************
*** 35,48 ****
  
  // this file can't be used on its own
! if (strpos ($_SERVER['PHP_SELF'], 'auth.inc.php') !== false)
! {
!     die ('This file can not be used on its own.');
  }
  
  // MAIN
  $uid = '';
! if (!empty ($_POST['loginname']) && !empty ($_POST['passwd'])) {
!     $status = SEC_authenticate (COM_applyFilter ($_POST['loginname']),
!                                 $_POST['passwd'], $uid);
  } else {
      $status = '';
--- 35,56 ----
  
  // this file can't be used on its own
! if (strpos($_SERVER['PHP_SELF'], 'auth.inc.php') !== false) {
!     die('This file can not be used on its own.');
  }
  
  // MAIN
+ COM_clearSpeedlimit($_CONF['login_speedlimit'], 'login');
+ if (COM_checkSpeedlimit('login', $_CONF['login_attempts']) > 0) {
+     COM_displayMessageAndAbort($LANG04[112], '', 403, 'Access denied');
+ }
+ 
  $uid = '';
! if (!empty($_POST['loginname']) && !empty($_POST['passwd'])) {
!     if ($_CONF['user_login_method']['standard'])
!         $status = SEC_authenticate(COM_applyFilter($_POST['loginname']),
!                                    $_POST['passwd'], $uid);
!     } else {
!         $status = '';
!     }
  } else {
      $status = '';
***************
*** 51,66 ****
  
  if ($status == USER_ACCOUNT_ACTIVE) {
!     DB_change($_TABLES['users'],'pwrequestid',"NULL",'uid',$uid);
!     $_USER = SESS_getUserDataFromId ($uid);
!     $sessid = SESS_newSession ($_USER['uid'], $_SERVER['REMOTE_ADDR'],
              $_CONF['session_cookie_timeout'], $_CONF['cookie_ip']);
!     SESS_setSessionCookie ($sessid, $_CONF['session_cookie_timeout'],
              $_CONF['cookie_session'], $_CONF['cookie_path'],
              $_CONF['cookiedomain'], $_CONF['cookiesecure']);
!     PLG_loginUser ($_USER['uid']);
  
      // Now that we handled session cookies, handle longterm cookie
  
!     if (!isset ($_COOKIE[$_CONF['cookie_name']])) {
  
          // Either their cookie expired or they are new
--- 59,74 ----
  
  if ($status == USER_ACCOUNT_ACTIVE) {
!     DB_change($_TABLES['users'], 'pwrequestid', "NULL", 'uid', $uid);
!     $_USER = SESS_getUserDataFromId($uid);
!     $sessid = SESS_newSession($_USER['uid'], $_SERVER['REMOTE_ADDR'],
              $_CONF['session_cookie_timeout'], $_CONF['cookie_ip']);
!     SESS_setSessionCookie($sessid, $_CONF['session_cookie_timeout'],
              $_CONF['cookie_session'], $_CONF['cookie_path'],
              $_CONF['cookiedomain'], $_CONF['cookiesecure']);
!     PLG_loginUser($_USER['uid']);
  
      // Now that we handled session cookies, handle longterm cookie
  
!     if (!isset($_COOKIE[$_CONF['cookie_name']])) {
  
          // Either their cookie expired or they are new
***************
*** 72,78 ****
              // They want their cookie to persist for some amount of time so set it now
  
!             setcookie ($_CONF['cookie_name'], $_USER['uid'],
!                        time() + $cooktime, $_CONF['cookie_path'],
!                        $_CONF['cookiedomain'], $_CONF['cookiesecure']);
          }
      }
--- 80,86 ----
              // They want their cookie to persist for some amount of time so set it now
  
!             setcookie($_CONF['cookie_name'], $_USER['uid'],
!                       time() + $cooktime, $_CONF['cookie_path'],
!                       $_CONF['cookiedomain'], $_CONF['cookiesecure']);
          }
      }
***************
*** 84,117 ****
      echo $display;
      exit;
! } else if (!SEC_hasRights('story.edit,block.edit,topic.edit,user.edit,plugin.edit,user.mail,syndication.edit','OR') && (count (PLG_getAdminOptions()) == 0)) {
!     $display .= COM_siteHeader();
  
!     $display .= COM_startBlock($LANG20[01]);
  
!     if (!empty($warn)) {
!         $display .= $LANG20[02]
!         .'<br' . XHTML . '><br' . XHTML . '>'
!         .COM_accessLog($LANG20[03] . ' ' . $_POST['loginname']);
      }
  
!     $display .= '<form action="' . $_SERVER['PHP_SELF']
!              . '" method="post">'
!         .'<table cellspacing="0" cellpadding="0" border="0" width="100%">'.LB
!         .'<tr><td align="right">'.$LANG20[04].' </td>'.LB
!         .'<td><input type="text" name="loginname" size="16" maxlength="16"' . XHTML . '></td>'.LB
!         .'</tr>'.LB
!         .'<tr>'.LB
!         .'<td align="right">'.$LANG20[05].' </td>'.LB
!         .'<td><input type="password" name="passwd" size="16" maxlength="16"' . XHTML . '></td>'
!         .'</tr>'.LB
!         .'<tr>'.LB
!         .'<td colspan="2" align="center" class="warning">'.$LANG20[06].'<input type="hidden" name="warn" value="1"' . XHTML . '>'
!         .'<br' . XHTML . '><input type="submit" name="mode" value="'.$LANG20[07].'"' . XHTML . '></td>'.LB
!         .'</tr>'.LB
!         .'</table></form>'
!         .COM_endBlock()
!         .COM_siteFooter();
!         echo $display;
!         exit;
  }
  
--- 92,131 ----
      echo $display;
      exit;
! } else if (!SEC_hasRights('story.edit,block.edit,topic.edit,user.edit,plugin.edit,user.mail,syndication.edit','OR') && (count(PLG_getAdminOptions()) == 0)) {
!     COM_updateSpeedlimit('login');
  
!     $display .= COM_siteHeader('menu');
!     $display .= COM_startBlock($LANG20[1]);
  
!     if (!$_CONF['user_login_method']['standard']) {
!         $display .= '<p>' . $LANG_LOGIN[2] . '</p>';
!     } else {
! 
!         if (!empty($warn)) {
!             $display .= $LANG20[2]
!                      . '<br' . XHTML . '><br' . XHTML . '>'
!                      . COM_accessLog($LANG20[3] . ' ' . $_POST['loginname']);
!         }
! 
!         $display .= '<form action="' . $_SERVER['PHP_SELF'] . '" method="post">'
!             .'<table cellspacing="0" cellpadding="0" border="0" width="100%">'.LB
!             .'<tr><td align="right">'.$LANG20[4].' </td>'.LB
!             .'<td><input type="text" name="loginname" size="16" maxlength="16"' . XHTML . '></td>'.LB
!             .'</tr>'.LB
!             .'<tr>'.LB
!             .'<td align="right">'.$LANG20[5].' </td>'.LB
!             .'<td><input type="password" name="passwd" size="16" maxlength="16"' . XHTML . '></td>'
!             .'</tr>'.LB
!             .'<tr>'.LB
!             .'<td colspan="2" align="center" class="warning">'.$LANG20[6].'<input type="hidden" name="warn" value="1"' . XHTML . '>'
!             .'<br' . XHTML . '><input type="submit" name="mode" value="'.$LANG20[7].'"' . XHTML . '></td>'.LB
!             .'</tr>'.LB
!             .'</table></form>';
      }
  
!     $display .= COM_endBlock()
!              . COM_siteFooter();
!     echo $display;
!     exit;
  }

More information about the geeklog-cvs mailing list