Enano CMS (1.1.x): comparison includes/sessions.php

equal deleted inserted replaced

-:06db76725891
+:5bcdee999015
 * Regex that defines a valid username, minus the ^ and $, these are added later
 * @var string
 */
 //var $valid_username = '([A-Za-z0-9 \!\@\(\)-]+)';
-var $valid_username = '([^<>_&\?\'"%\n\r\t\a\/]+)';
+var $valid_username = '([^<>&\?\'"%\n\r\t\a\/]+)';
 /**
 * What we're allowed to do as far as permissions go. This changes based on the value of the "auth" URI param.
 * @var string
 */
 * @param string $challenge The 256-bit MD5 challenge string - first 128 bits should be the hash, the last 128 should be the challenge salt
 * @param int $level The privilege level we're authenticating for, defaults to 0
 * @return string 'success' on success, or error string on failure
 */
-function login_with_crypto($username, $aes_data, $aes_key, $challenge, $level = USER_LEVEL_MEMBER)
+function login_with_crypto($username, $aes_data, $aes_key_id, $challenge, $level = USER_LEVEL_MEMBER)
 {
 global $db, $session, $paths, $template, $plugins; // Common objects
 $privcache = $this->private_key;
 // Instanciate the Rijndael encryption object
 $aes = new AESCrypt(AES_BITS, AES_BLOCKSIZE);
 // Fetch our decryption key
-$aes_key = $this->fetch_public_key($aes_key);
+$aes_key = $this->fetch_public_key($aes_key_id);
 if(!$aes_key)
-return 'Couldn\'t look up public key "'.$aes_key.'" for decryption';
+return 'Couldn\'t look up public key "'.htmlspecialchars($aes_key_id).'" for decryption';
 // Convert the key to a binary string
 $bin_key = hexdecode($aes_key);
 if(strlen($bin_key) != AES_BITS / 8)
 // Initialize our success switch
 $success = false;
 // Escaped username
+$username = str_replace('_', ' ', $username);
 $db_username_lower = $this->prepare_text(strtolower($username));
 $db_username       = $this->prepare_text($username);
 // Select the user data from the table, and decrypt that so we can verify the password
 $this->sql('SELECT password,old_encryption,user_id,user_level,theme,style,temp_password,temp_password_time FROM '.table_prefix.'users WHERE lcase(username)=\''.$db_username_lower.'\' OR username=\'' . $db_username . '\';');
 {
 global $db, $session, $paths, $template, $plugins; // Common objects
 $pass_hashed = ( $already_md5ed ) ? $password : md5($password);
+// Replace underscores with spaces in username
+// (Added in 1.0.2)
+$username = str_replace('_', ' ', $username);
 // Perhaps we're upgrading Enano?
 if($this->compat)
 {
 return $this->login_compat($username, $pass_hashed, $level);
 }
 }
 }
 /**
 * Registers a session key in the database. This function *ASSUMES* that the username and password have already been validated!
-* Basically the session key is a base64-encoded cookie (encrypted with the site's private key) that says "u=[username];p=[sha1 of password]"
+* Basically the session key is a hex-encoded cookie (encrypted with the site's private key) that says "u=[username];p=[sha1 of password];s=[unique key id]"
 * @param int $user_id
 * @param string $username
 * @param string $password
 * @param int $level The level of access to grant, defaults to USER_LEVEL_MEMBER
 * @return bool
 $query = $this->sql('INSERT INTO '.table_prefix.'session_keys(session_key, salt, user_id, auth_level, source_ip, time) VALUES(\''.$keyhash.'\', \''.$salt.'\', '.$user_id.', '.$level.', \''.$ip.'\', '.$time.');');
 return true;
 }
 /**
-* Identical to register_session in nature, but uses the old login/table structure. DO NOT use this.
+* Identical to register_session in nature, but uses the old login/table structure. DO NOT use this except in the upgrade script under very controlled circumstances.
 * @see sessionManager::register_session()
 * @access private
 */
 function register_session_compat($user_id, $username, $password, $level = 0)
 */
 function check_banlist()
 {
 global $db, $session, $paths, $template, $plugins; // Common objects
-if($this->compat)
+$col_reason = ( $this->compat ) ? '"No reason entered (session manager is in compatibility mode)" AS reason' : 'reason';
-$q = $this->sql('SELECT ban_id,ban_type,ban_value,is_regex FROM '.table_prefix.'banlist ORDER BY ban_type;');
+$is_banned = false;
-else
+if ( $this->user_logged_in )
-$q = $this->sql('SELECT ban_id,ban_type,ban_value,is_regex,reason FROM '.table_prefix.'banlist ORDER BY ban_type;');
+{
-if(!$q) $db->_die('The banlist data could not be selected.');
+// check by IP, email, and username
-$banned = false;
+$sql = "SELECT $col_reason, ban_value, ban_type, is_regex FROM " . table_prefix . "banlist WHERE \n"
-while($row = $db->fetchrow())
+. "    ( ban_type = " . BAN_IP    . " AND is_regex = 0 ) OR \n"
-{
+. "    ( ban_type = " . BAN_IP    . " AND is_regex = 1 AND '{$_SERVER['REMOTE_ADDR']}' REGEXP ban_value ) OR \n"
-if($this->compat)
+. "    ( ban_type = " . BAN_USER  . " AND is_regex = 0 AND ban_value = '{$this->username}' ) OR \n"
-$row['reason'] = 'None available - session manager is in compatibility mode';
+. "    ( ban_type = " . BAN_USER  . " AND is_regex = 1 AND '{$this->username}' REGEXP ban_value ) OR \n"
-switch($row['ban_type'])
+. "    ( ban_type = " . BAN_EMAIL . " AND is_regex = 0 AND ban_value = '{$this->email}' ) OR \n"
-{
+. "    ( ban_type = " . BAN_EMAIL . " AND is_regex = 1 AND '{$this->email}' REGEXP ban_value ) \n"
-case BAN_IP:
+. "  ORDER BY ban_type ASC;";
-if(intval($row['is_regex'])==1) {
+$q = $this->sql($sql);
-if(preg_match('#'.$row['ban_value'].'#i', $_SERVER['REMOTE_ADDR']))
+if ( $db->numrows() > 0 )
+{
+while ( list($reason, $ban_value, $ban_type, $is_regex) = $db->fetchrow_num() )
+{
+if ( $ban_type == BAN_IP && $row['is_regex'] != 1 )
 {
+// check range
+$regexp = parse_ip_range_regex($ban_value);
+if ( !$regexp )
+{
+continue;
+}
+if ( preg_match("/$regexp/", $_SERVER['REMOTE_ADDR']) )
+{
+$banned = true;
+}
+}
+else
+{
+// User is banned
 $banned = true;
-$reason = $row['reason'];
 }
 }
-else {
+}
-if($row['ban_value']==$_SERVER['REMOTE_ADDR']) { $banned = true; $reason = $row['reason']; }
+$db->free_result();
 }
-break;
+else
-case BAN_USER:
+{
-if(intval($row['is_regex'])==1) {
+// check by IP only
-if(preg_match('#'.$row['ban_value'].'#i', $this->username))
+$sql = "SELECT $col_reason, ban_value, ban_type, is_regex FROM " . table_prefix . "banlist WHERE
+( ban_type = " . BAN_IP    . " AND is_regex = 0 ) OR
+( ban_type = " . BAN_IP    . " AND is_regex = 1 AND '{$_SERVER['REMOTE_ADDR']}' REGEXP ban_value )
+ORDER BY ban_type ASC;";
+$q = $this->sql($sql);
+if ( $db->numrows() > 0 )
+{
+while ( list($reason, $ban_value, $ban_type, $is_regex) = $db->fetchrow_num() )
+{
+if ( $ban_type == BAN_IP && $row['is_regex'] != 1 )
 {
+// check range
+$regexp = parse_ip_range_regex($ban_value);
+if ( !$regexp )
+continue;
+if ( preg_match("/$regexp/", $_SERVER['REMOTE_ADDR']) )
+{
+$banned = true;
+}
+}
+else
+{
+// User is banned
 $banned = true;
-$reason = $row['reason'];
 }
 }
-else {
+}
-if($row['ban_value']==$this->username) { $banned = true; $reason = $row['reason']; }
+$db->free_result();
 }
-break;
+if ( $banned && $paths->get_pageid_from_url() != $paths->nslist['Special'].'CSS' )
-case BAN_EMAIL:
-if(intval($row['is_regex'])==1) {
-if(preg_match('#'.$row['ban_value'].'#i', $this->email))
-{
-$banned = true;
-$reason = $row['reason'];
-}
-}
-else {
-if($row['ban_value']==$this->email) { $banned = true; $reason = $row['reason']; }
-}
-break;
-default:
-die('Ban error: rule "'.$row['ban_value'].'" has an invalid type ('.$row['ban_type'].')');
-}
-}
-if($banned && $paths->get_pageid_from_url() != $paths->nslist['Special'].'CSS')
 {
 // This guy is banned - kill the session, kill the database connection, bail out, and be pretty about it
 die_semicritical('Ban notice', '<div class="error-box">You have been banned from this website. Please contact the site administrator for more information.<br /><br />Reason:<br />'.$reason.'</div>');
 exit;
 }
 # Registration
 /**
 * Registers a user. This does not perform any type of login.
-* @param string $username
+* @param string New user's username
-* @param string $password This should be unencrypted.
+* @param string This should be unencrypted.
-* @param string $email
+* @param string E-mail address.
-* @param string $real_name Optional, defaults to ''.
+* @param string Optional, defaults to ''.
-* @param bool   $coppa     Optional. If true, the account is not activated initially and an admin activation request is sent. The caller is responsible for sending the address info and notice.
+* @param bool Optional. If true, the account is not activated initially and an admin activation request is sent. The caller is responsible for sending the address info and notice.
 */
 function create_user($username, $password, $email, $real_name = '', $coppa = false)
 {
 global $db, $session, $paths, $template, $plugins; // Common objects
 // Initialize AES
 $aes = new AESCrypt(AES_BITS, AES_BLOCKSIZE);
 if(!preg_match('#^'.$this->valid_username.'$#', $username)) return 'The username you chose contains invalid characters.';
+$username = str_replace('_', ' ', $username);
 $user_orig = $username;
 $username = $this->prepare_text($username);
 $email = $this->prepare_text($email);
 $real_name = $this->prepare_text($real_name);

changeset 270	5bcdee999015
parent 268	58477ab3937f
child 271	f088805540ae
child 286	b2f985e4cef3