--- a/includes/sessions.php Sat Oct 20 21:59:27 2007 -0400
+++ b/includes/sessions.php Sat Nov 03 07:40:54 2007 -0400
@@ -362,6 +362,7 @@
function start()
{
global $db, $session, $paths, $template, $plugins; // Common objects
+ global $lang;
if($this->started) return;
$this->started = true;
$user = false;
@@ -381,6 +382,9 @@
if(!$this->compat && $userdata['account_active'] != 1 && $data[1] != 'Special' && $data[1] != 'Admin')
{
+ $language = intval(getConfig('default_language'));
+ $lang = new Language($language);
+
$this->logout();
$a = getConfig('account_activation');
switch($a)
@@ -480,6 +484,13 @@
}
$user = true;
+ // Set language
+ if ( !defined('ENANO_ALLOW_LOAD_NOLANG') )
+ {
+ $lang_id = intval($userdata['user_lang']);
+ $lang = new Language($lang_id);
+ }
+
if(isset($_REQUEST['auth']) && !$this->sid_super)
{
// Now he thinks he's a moderator. Or maybe even an administrator. Let's find out if he's telling the truth.
@@ -547,14 +558,55 @@
* @param string $aes_key The MD5 hash of the encryption key, hex-encoded
* @param string $challenge The 256-bit MD5 challenge string - first 128 bits should be the hash, the last 128 should be the challenge salt
* @param int $level The privilege level we're authenticating for, defaults to 0
+ * @param array $captcha_hash Optional. If we're locked out and the lockout policy is captcha, this should be the identifier for the code.
+ * @param array $captcha_code Optional. If we're locked out and the lockout policy is captcha, this should be the code the user entered.
* @return string 'success' on success, or error string on failure
*/
- function login_with_crypto($username, $aes_data, $aes_key, $challenge, $level = USER_LEVEL_MEMBER)
+ function login_with_crypto($username, $aes_data, $aes_key, $challenge, $level = USER_LEVEL_MEMBER, $captcha_hash = false, $captcha_code = false)
{
global $db, $session, $paths, $template, $plugins; // Common objects
$privcache = $this->private_key;
+
+ if ( !defined('IN_ENANO_INSTALL') )
+ {
+ // Lockout stuff
+ $threshold = ( $_ = getConfig('lockout_threshold') ) ? intval($_) : 5;
+ $duration = ( $_ = getConfig('lockout_duration') ) ? intval($_) : 15;
+ // convert to minutes
+ $duration = $duration * 60;
+ $policy = ( $x = getConfig('lockout_policy') && in_array(getConfig('lockout_policy'), array('lockout', 'disable', 'captcha')) ) ? getConfig('lockout_policy') : 'lockout';
+ if ( $policy == 'captcha' && $captcha_hash && $captcha_code )
+ {
+ // policy is captcha -- check if it's correct, and if so, bypass lockout check
+ $real_code = $this->get_captcha($captcha_hash);
+ }
+ if ( $policy != 'disable' && !( $policy == 'captcha' && isset($real_code) && $real_code == $captcha_code ) )
+ {
+ $ipaddr = $db->escape($_SERVER['REMOTE_ADDR']);
+ $timestamp_cutoff = time() - $duration;
+ $q = $this->sql('SELECT timestamp FROM '.table_prefix.'lockout WHERE timestamp > ' . $timestamp_cutoff . ' AND ipaddr = \'' . $ipaddr . '\' ORDER BY timestamp DESC;');
+ $fails = $db->numrows();
+ if ( $fails >= $threshold )
+ {
+ // ooh boy, somebody's in trouble ;-)
+ $row = $db->fetchrow();
+ $db->free_result();
+ return array(
+ 'success' => false,
+ 'error' => 'locked_out',
+ 'lockout_threshold' => $threshold,
+ 'lockout_duration' => ( $duration / 60 ),
+ 'lockout_fails' => $fails,
+ 'lockout_policy' => $policy,
+ 'time_rem' => ( $duration / 60 ) - round( ( time() - $row['timestamp'] ) / 60 ),
+ 'lockout_last_time' => $row['timestamp']
+ );
+ }
+ $db->free_result();
+ }
+ }
// Instanciate the Rijndael encryption object
$aes = new AESCrypt(AES_BITS, AES_BLOCKSIZE);
@@ -563,13 +615,19 @@
$aes_key = $this->fetch_public_key($aes_key);
if(!$aes_key)
- return 'Couldn\'t look up public key "'.$aes_key.'" for decryption';
+ return array(
+ 'success' => false,
+ 'error' => 'key_not_found'
+ );
// Convert the key to a binary string
$bin_key = hexdecode($aes_key);
if(strlen($bin_key) != AES_BITS / 8)
- return 'The decryption key is the wrong length';
+ return array(
+ 'success' => false,
+ 'error' => 'key_wrong_length'
+ );
// Decrypt our password
$password = $aes->decrypt($aes_data, $bin_key, ENC_HEX);
@@ -590,7 +648,29 @@
$this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary,page_text) VALUES(\'security\', \'admin_auth_bad\', '.time().', \''.date('d M Y h:i a').'\', \''.$db->escape($username).'\', \''.$db->escape($_SERVER['REMOTE_ADDR']).'\', ' . intval($level) . ')');
else
$this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary) VALUES(\'security\', \'auth_bad\', '.time().', \''.date('d M Y h:i a').'\', \''.$db->escape($username).'\', \''.$db->escape($_SERVER['REMOTE_ADDR']).'\')');
- return "The username and/or password is incorrect.";
+
+ if ( $policy != 'disable' && !defined('IN_ENANO_INSTALL') )
+ {
+ $ipaddr = $db->escape($_SERVER['REMOTE_ADDR']);
+ // increment fail count
+ $this->sql('INSERT INTO '.table_prefix.'lockout(ipaddr, timestamp, action) VALUES(\'' . $ipaddr . '\', UNIX_TIMESTAMP(), \'credential\');');
+ $fails++;
+ // ooh boy, somebody's in trouble ;-)
+ return array(
+ 'success' => false,
+ 'error' => ( $fails >= $threshold ) ? 'locked_out' : 'invalid_credentials',
+ 'lockout_threshold' => $threshold,
+ 'lockout_duration' => ( $duration / 60 ),
+ 'lockout_fails' => $fails,
+ 'time_rem' => ( $duration / 60 ),
+ 'lockout_policy' => $policy
+ );
+ }
+
+ return array(
+ 'success' => false,
+ 'error' => 'invalid_credentials'
+ );
}
$row = $db->fetchrow();
@@ -641,7 +721,10 @@
if($success)
{
if($level > $row['user_level'])
- return 'You are not authorized for this level of access.';
+ return array(
+ 'success' => false,
+ 'error' => 'too_big_for_britches'
+ );
$sess = $this->register_session(intval($row['user_id']), $username, $password, $level);
if($sess)
@@ -661,10 +744,15 @@
{
eval($cmd);
}
- return 'success';
+ return array(
+ 'success' => true
+ );
}
else
- return 'Your login credentials were correct, but an internal error occurred while registering the session key in the database.';
+ return array(
+ 'success' => false,
+ 'error' => 'backend_fail'
+ );
}
else
{
@@ -673,7 +761,28 @@
else
$this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary) VALUES(\'security\', \'auth_bad\', '.time().', \''.date('d M Y h:i a').'\', \''.$db->escape($username).'\', \''.$db->escape($_SERVER['REMOTE_ADDR']).'\')');
- return 'The username and/or password is incorrect.';
+ // Do we also need to increment the lockout countdown?
+ if ( $policy != 'disable' && !defined('IN_ENANO_INSTALL') )
+ {
+ $ipaddr = $db->escape($_SERVER['REMOTE_ADDR']);
+ // increment fail count
+ $this->sql('INSERT INTO '.table_prefix.'lockout(ipaddr, timestamp, action) VALUES(\'' . $ipaddr . '\', UNIX_TIMESTAMP(), \'credential\');');
+ $fails++;
+ return array(
+ 'success' => false,
+ 'error' => ( $fails >= $threshold ) ? 'locked_out' : 'invalid_credentials',
+ 'lockout_threshold' => $threshold,
+ 'lockout_duration' => ( $duration / 60 ),
+ 'lockout_fails' => $fails,
+ 'time_rem' => ( $duration / 60 ),
+ 'lockout_policy' => $policy
+ );
+ }
+
+ return array(
+ 'success' => false,
+ 'error' => 'invalid_credentials'
+ );
}
}
@@ -699,6 +808,45 @@
return $this->login_compat($username, $pass_hashed, $level);
}
+ if ( !defined('IN_ENANO_INSTALL') )
+ {
+ // Lockout stuff
+ $threshold = ( $_ = getConfig('lockout_threshold') ) ? intval($_) : 5;
+ $duration = ( $_ = getConfig('lockout_duration') ) ? intval($_) : 15;
+ // convert to minutes
+ $duration = $duration * 60;
+ $policy = ( $x = getConfig('lockout_policy') && in_array(getConfig('lockout_policy'), array('lockout', 'disable', 'captcha')) ) ? getConfig('lockout_policy') : 'lockout';
+ if ( $policy == 'captcha' && $captcha_hash && $captcha_code )
+ {
+ // policy is captcha -- check if it's correct, and if so, bypass lockout check
+ $real_code = $this->get_captcha($captcha_hash);
+ }
+ if ( $policy != 'disable' && !( $policy == 'captcha' && isset($real_code) && $real_code == $captcha_code ) )
+ {
+ $ipaddr = $db->escape($_SERVER['REMOTE_ADDR']);
+ $timestamp_cutoff = time() - $duration;
+ $q = $this->sql('SELECT timestamp FROM '.table_prefix.'lockout WHERE timestamp > ' . $timestamp_cutoff . ' AND ipaddr = \'' . $ipaddr . '\' ORDER BY timestamp DESC;');
+ $fails = $db->numrows();
+ if ( $fails > $threshold )
+ {
+ // ooh boy, somebody's in trouble ;-)
+ $row = $db->fetchrow();
+ $db->free_result();
+ return array(
+ 'success' => false,
+ 'error' => 'locked_out',
+ 'lockout_threshold' => $threshold,
+ 'lockout_duration' => ( $duration / 60 ),
+ 'lockout_fails' => $fails,
+ 'lockout_policy' => $policy,
+ 'time_rem' => $duration - round( ( time() - $row['timestamp'] ) / 60 ),
+ 'lockout_last_time' => $row['timestamp']
+ );
+ }
+ $db->free_result();
+ }
+ }
+
// Instanciate the Rijndael encryption object
$aes = new AESCrypt(AES_BITS, AES_BLOCKSIZE);
@@ -707,14 +855,35 @@
// Retrieve the real password from the database
$this->sql('SELECT password,old_encryption,user_id,user_level,temp_password,temp_password_time FROM '.table_prefix.'users WHERE lcase(username)=\''.$this->prepare_text(strtolower($username)).'\';');
- if ( $db->numrows() < 1 )
+ if($db->numrows() < 1)
{
// This wasn't logged in <1.0.2, dunno how it slipped through
if($level > USER_LEVEL_MEMBER)
$this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary,page_text) VALUES(\'security\', \'admin_auth_bad\', '.time().', \''.date('d M Y h:i a').'\', \''.$db->escape($username).'\', \''.$db->escape($_SERVER['REMOTE_ADDR']).'\', ' . intval($level) . ')');
else
$this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary) VALUES(\'security\', \'auth_bad\', '.time().', \''.date('d M Y h:i a').'\', \''.$db->escape($username).'\', \''.$db->escape($_SERVER['REMOTE_ADDR']).'\')');
- return "The username and/or password is incorrect.";
+
+ // Do we also need to increment the lockout countdown?
+ if ( $policy != 'disable' && !defined('IN_ENANO_INSTALL') )
+ {
+ $ipaddr = $db->escape($_SERVER['REMOTE_ADDR']);
+ // increment fail count
+ $this->sql('INSERT INTO '.table_prefix.'lockout(ipaddr, timestamp, action) VALUES(\'' . $ipaddr . '\', UNIX_TIMESTAMP(), \'credential\');');
+ $fails++;
+ return array(
+ 'success' => false,
+ 'error' => ( $fails >= $threshold ) ? 'locked_out' : 'invalid_credentials',
+ 'lockout_threshold' => $threshold,
+ 'lockout_duration' => ( $duration / 60 ),
+ 'lockout_fails' => $fails,
+ 'lockout_policy' => $policy
+ );
+ }
+
+ return array(
+ 'success' => false,
+ 'error' => 'invalid_credentials'
+ );
}
$row = $db->fetchrow();
@@ -764,7 +933,10 @@
if($success)
{
if((int)$level > (int)$row['user_level'])
- return 'You are not authorized for this level of access.';
+ return array(
+ 'success' => false,
+ 'error' => 'too_big_for_britches'
+ );
$sess = $this->register_session(intval($row['user_id']), $username, $real_pass, $level);
if($sess)
{
@@ -779,10 +951,15 @@
eval($cmd);
}
- return 'success';
+ return array(
+ 'success' => true
+ );
}
else
- return 'Your login credentials were correct, but an internal error occured while registering the session key in the database.';
+ return array(
+ 'success' => false,
+ 'error' => 'backend_fail'
+ );
}
else
{
@@ -791,7 +968,27 @@
else
$this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary) VALUES(\'security\', \'auth_bad\', '.time().', \''.date('d M Y h:i a').'\', \''.$db->escape($username).'\', \''.$db->escape($_SERVER['REMOTE_ADDR']).'\')');
- return 'The username and/or password is incorrect.';
+ // Do we also need to increment the lockout countdown?
+ if ( $policy != 'disable' && !defined('IN_ENANO_INSTALL') )
+ {
+ $ipaddr = $db->escape($_SERVER['REMOTE_ADDR']);
+ // increment fail count
+ $this->sql('INSERT INTO '.table_prefix.'lockout(ipaddr, timestamp, action) VALUES(\'' . $ipaddr . '\', UNIX_TIMESTAMP(), \'credential\');');
+ $fails++;
+ return array(
+ 'success' => false,
+ 'error' => ( $fails >= $threshold ) ? 'locked_out' : 'invalid_credentials',
+ 'lockout_threshold' => $threshold,
+ 'lockout_duration' => ( $duration / 60 ),
+ 'lockout_fails' => $fails,
+ 'lockout_policy' => $policy
+ );
+ }
+
+ return array(
+ 'success' => false,
+ 'error' => 'invalid_credentials'
+ );
}
}
@@ -863,7 +1060,7 @@
{
// Stash it in a cookie
// For now, make the cookie last forever, we can change this in 1.1.x
- setcookie( 'sid', $session_key, time()+315360000, scriptPath.'/' );
+ setcookie( 'sid', $session_key, time()+315360000, scriptPath.'/', null, ( isset($_SERVER['HTTPS']) ) );
$_COOKIE['sid'] = $session_key;
}
// $keyhash is stored in the database, this is for compatibility with the older DB structure
@@ -925,6 +1122,7 @@
function register_guest_session()
{
global $db, $session, $paths, $template, $plugins; // Common objects
+ global $lang;
$this->username = $_SERVER['REMOTE_ADDR'];
$this->user_level = USER_LEVEL_GUEST;
if($this->compat || defined('IN_ENANO_INSTALL'))
@@ -938,6 +1136,12 @@
$this->style = ( isset($_GET['style']) && file_exists(ENANO_ROOT.'/themes/'.$this->theme . '/css/'.$_GET['style'].'.css' )) ? $_GET['style'] : substr($template->named_theme_list[$this->theme]['default_style'], 0, strlen($template->named_theme_list[$this->theme]['default_style'])-4);
}
$this->user_id = 1;
+ if ( !defined('ENANO_ALLOW_LOAD_NOLANG') )
+ {
+ // This is a VERY special case we are allowing. It lets the installer create languages using the Enano API.
+ $language = intval(getConfig('default_language'));
+ $lang = new Language($language);
+ }
}
/**
@@ -965,7 +1169,7 @@
}
$keyhash = md5($key);
$salt = $db->escape($keydata[3]);
- $query = $db->sql_query('SELECT u.user_id AS uid,u.username,u.password,u.email,u.real_name,u.user_level,u.theme,u.style,u.signature,u.reg_time,u.account_active,u.activation_key,k.source_ip,k.time,k.auth_level,COUNT(p.message_id) AS num_pms,x.* FROM '.table_prefix.'session_keys AS k
+ $query = $db->sql_query('SELECT u.user_id AS uid,u.username,u.password,u.email,u.real_name,u.user_level,u.theme,u.style,u.signature,u.reg_time,u.account_active,u.activation_key,k.source_ip,k.time,k.auth_level,COUNT(p.message_id) AS num_pms,u.user_lang,x.* FROM '.table_prefix.'session_keys AS k
LEFT JOIN '.table_prefix.'users AS u
ON ( u.user_id=k.user_id )
LEFT JOIN '.table_prefix.'users_extra AS x
@@ -1120,7 +1324,10 @@
if($level > USER_LEVEL_CHPREF)
{
$aes = new AESCrypt(AES_BITS, AES_BLOCKSIZE);
- if(!$this->user_logged_in || $this->auth_level < USER_LEVEL_MOD) return 'success';
+ if(!$this->user_logged_in || $this->auth_level < USER_LEVEL_MOD)
+ {
+ return 'success';
+ }
// Destroy elevated privileges
$keyhash = md5(strrev($this->sid_super));
$this->sql('DELETE FROM '.table_prefix.'session_keys WHERE session_key=\''.$keyhash.'\' AND user_id=\'' . $this->user_id . '\';');