[geeklog-cvs] geeklog: First "just got it working" draft implementation of bet...
geeklog-cvs at lists.geeklog.net
geeklog-cvs at lists.geeklog.net
Tue Dec 29 08:00:27 EST 2009
changeset 7539:bf547541ad38
url: http://project.geeklog.net/cgi-bin/hgwebdir.cgi/geeklog/rev/bf547541ad38
user: Dirk Haun <dirk at haun-online.de>
date: Sun Dec 20 15:36:11 2009 +0100
description:
First "just got it working" draft implementation of better handling of expired security tokens: Ask user for their password again. Contains hard-coded text strings and needs cleaning up
diffstat:
public_html/users.php | 71 +++++++++++++++++++++++++++++++++++
system/lib-security.php | 68 ++++++++++++++++++++++++++++++++++
2 files changed, 139 insertions(+), 0 deletions(-)
diffs (166 lines):
diff -r 4b9189b7a976 -r bf547541ad38 public_html/users.php
--- a/public_html/users.php Sat Dec 19 23:44:40 2009 +0100
+++ b/public_html/users.php Sun Dec 20 15:36:11 2009 +0100
@@ -841,6 +841,74 @@
}
+function handle_expiredToken()
+{
+ require_once 'HTTP/Request.php';
+
+ $method = '';
+ if (isset($_POST['token_requestmethod'])) {
+ $method = COM_applyFilter($_POST['token_requestmethod']);
+ }
+ $returnurl = '';
+ if (isset($_POST['token_returnurl'])) {
+ $returnurl = urldecode($_POST['token_returnurl']);
+ }
+ $postdata = '';
+ if (isset($_POST['token_postdata'])) {
+ $postdata = urldecode($_POST['token_postdata']);
+ }
+ $getdata = '';
+ if (isset($_POST['token_getdata'])) {
+ $getdata = urldecode($_POST['token_getdata']);
+ }
+
+ if (!empty($method) && !empty($returnurl) &&
+ ((($method == 'POST') && !empty($postdata)) ||
+ (($method == 'GET') && !empty($getdata)))) {
+
+ $req = new HTTP_Request($returnurl);
+ if ($method == 'POST') {
+ $req->setMethod(HTTP_REQUEST_METHOD_POST);
+ $data = unserialize($postdata);
+ foreach ($data as $key => $value) {
+ if ($key == CSRF_TOKEN) {
+ $req->addPostData($key, SEC_createToken());
+ } else {
+ $req->addPostData($key, $value);
+ }
+ }
+ } else {
+ $req->setMethod(HTTP_REQUEST_METHOD_GET);
+ $data = unserialize($getdata);
+ foreach ($data as $key => $value) {
+ if ($key == CSRF_TOKEN) {
+ $req->addQueryString($key, SEC_createToken());
+ } else {
+ $req->addQueryString($key, $value);
+ }
+ }
+ }
+ $req->addHeader('User-Agent', 'Geeklog/' . VERSION);
+ // need to fake the referrer so the new token matches
+ $req->addHeader('Referer', COM_getCurrentUrl());
+ foreach ($_COOKIE as $cookie => $value) {
+ $req->addCookie($cookie, $value);
+ }
+ $response = $req->sendRequest();
+
+ if (PEAR::isError($response)) {
+ die("Request failed: " . $response->getMessage());
+ } else {
+ echo $req->getResponseBody();
+ }
+ } else {
+ echo COM_refresh($_CONF['site_url'] . '/index.php');
+ }
+
+ // don't return
+ exit();
+}
+
// MAIN
if (isset ($_REQUEST['mode'])) {
$mode = $_REQUEST['mode'];
@@ -1141,6 +1209,9 @@
}
if ($status == USER_ACCOUNT_ACTIVE) { // logged in AOK.
+ if ($mode == 'tokenexpired') {
+ handle_expiredToken(); // won't come back
+ }
DB_change($_TABLES['users'],'pwrequestid',"NULL",'uid',$uid);
$userdata = SESS_getUserDataFromId($uid);
$_USER = $userdata;
diff -r 4b9189b7a976 -r bf547541ad38 system/lib-security.php
--- a/system/lib-security.php Sat Dec 19 23:44:40 2009 +0100
+++ b/system/lib-security.php Sun Dec 20 15:36:11 2009 +0100
@@ -1129,6 +1129,74 @@
*/
function SEC_checkToken()
{
+ if (SECINT_checkToken()) {
+ return true;
+ }
+
+ $returnurl = COM_getCurrentUrl();
+ $method = strtoupper($_SERVER['REQUEST_METHOD']);
+ $postdata = serialize($_POST);
+ $getdata = serialize($_GET);
+
+ $display = COM_siteHeader('menu')
+ . COM_showMessageText('The security token for this operation has expired. Please authenticate again to continue.')
+ . SECINT_loginform($returnurl, $method, $postdata, $getdata)
+ . COM_siteFooter();
+
+ COM_output($display);
+ exit;
+
+ // we don't return from here
+}
+
+function SECINT_loginform($returnurl, $method, $postdata = '', $getdata = '')
+{
+ global $_CONF, $LANG01, $LANG04;
+
+ $retval = '';
+
+ $user_templates = new Template($_CONF['path_layout'] . 'users');
+ $user_templates->set_file('login', 'loginform.thtml');
+ $user_templates->set_var('xhtml', XHTML);
+ $user_templates->set_var('site_url', $_CONF['site_url']);
+ $user_templates->set_var('site_admin_url', $_CONF['site_admin_url']);
+ $user_templates->set_var('layout_url', $_CONF['layout_url']);
+
+ $user_templates->set_var('lang_newreglink', '');
+ $user_templates->set_var('lang_forgetpassword', '');
+
+ $user_templates->set_var('lang_login', $LANG04[80]);
+ $user_templates->set_var('lang_username', $LANG04[2]);
+ $user_templates->set_var('lang_password', $LANG01[57]);
+
+ $user_templates->set_var('start_block_loginagain', COM_startBlock('Security Token Expired'));
+ $user_templates->set_var('end_block', COM_endBlock());
+
+ $services = ''; // TBD: add services dropdown
+
+ // (ab)use {services} for some hidden fields
+ $services .= '<input type="hidden" name="mode" value="tokenexpired"'
+ . XHTML . '>' . LB;
+ $services .= '<input type="hidden" name="token_returnurl" value="'
+ . urlencode($returnurl) . '"' . XHTML . '>' . LB;
+ $services .= '<input type="hidden" name="token_postdata" value="'
+ . urlencode($postdata) . '"' . XHTML . '>' . LB;
+ $services .= '<input type="hidden" name="token_getdata" value="'
+ . urlencode($getdata) . '"' . XHTML . '>' . LB;
+ $services .= '<input type="hidden" name="token_requestmethod" value="'
+ . $method . '"' . XHTML . '>' . LB;
+ $user_templates->set_var('services', $services);
+ $user_templates->set_var('openid_login', ''); // TBD
+
+ $user_templates->parse('output', 'login');
+
+ $retval .= $user_templates->finish($user_templates->get_var('output'));
+
+ return $retval;
+}
+
+function SECINT_checkToken()
+{
global $_USER, $_TABLES, $_DB_dbms;
$token = ''; // Default to no token.
More information about the geeklog-cvs
mailing list