diff -r 45e887f23282 -r 7152ca0a0ce9 includes/sessions.php --- a/includes/sessions.php Mon Feb 16 16:04:54 2009 -0500 +++ b/includes/sessions.php Mon Feb 16 16:17:25 2009 -0500 @@ -716,13 +716,17 @@ $this->sql('SELECT password,\'\' AS password_salt,old_encryption,user_id,user_level,temp_password,temp_password_time FROM '.table_prefix."users\n" . " WHERE " . ENANO_SQLFUNC_LOWERCASE . "(username) = '$username_db';"); } - if($db->numrows() < 1) + if ( $db->numrows() < 1 ) { // This wasn't logged in <1.0.2, dunno how it slipped through - if($level > USER_LEVEL_MEMBER) - $this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary,page_text) VALUES(\'security\', \'admin_auth_bad\', '.time().', \''.enano_date('d M Y h:i a').'\', \''.$db->escape($username).'\', \''.$db->escape($_SERVER['REMOTE_ADDR']).'\', ' . intval($level) . ')'); + if ( $level > USER_LEVEL_MEMBER ) + $this->sql('INSERT INTO ' . table_prefix . "logs(log_type,action,time_id,date_string,author,edit_summary,page_text) VALUES\n" + . ' (\'security\', \'admin_auth_bad\', '.time().', \''.enano_date('d M Y h:i a').'\', \''.$db->escape($username).'\', ' + . '\''.$db->escape($_SERVER['REMOTE_ADDR']).'\', ' . intval($level) . ')'); else - $this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary) VALUES(\'security\', \'auth_bad\', '.time().', \''.enano_date('d M Y h:i a').'\', \''.$db->escape($username).'\', \''.$db->escape($_SERVER['REMOTE_ADDR']).'\')'); + $this->sql('INSERT INTO ' . table_prefix . "logs(log_type,action,time_id,date_string,author,edit_summary) VALUES\n" + . ' (\'security\', \'auth_bad\', '.time().', \''.enano_date('d M Y h:i a').'\', \''.$db->escape($username).'\', ' + . '\''.$db->escape($_SERVER['REMOTE_ADDR']).'\')'); // Do we also need to increment the lockout countdown? if ( @$policy != 'disable' && !defined('IN_ENANO_INSTALL') ) @@ -783,7 +787,7 @@ $success = true; } } - else if ( $row['old_encryption'] == 2 || defined('ENANO_UPGRADE_USE_AES_PASSWORDS') ) + else if ( $row['old_encryption'] == 2 || ( defined('ENANO_UPGRADE_USE_AES_PASSWORDS') ) ) { // Our password field uses the 1.0RC1-1.1.5 encryption format $real_pass = $aes->decrypt($row['password'], $this->private_key); @@ -920,7 +924,7 @@ $salt = ''; for ( $i = 0; $i < 32; $i++ ) { - $salt .= chr(mt_rand(32, 127)); + $salt .= chr(mt_rand(32, 126)); } // Session key @@ -946,7 +950,7 @@ { // Stash it in a cookie // For now, make the cookie last forever, we can change this in 1.1.x - setcookie( 'sid', $session_key, time()+15552000, scriptPath.'/', null, ( isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] != 'off' ) ); + setcookie( 'sid', $session_key, time()+15552000, scriptPath.'/', null, $GLOBALS['is_https']); $_COOKIE['sid'] = $session_key; } // $keyhash is stored in the database, this is for compatibility with the older DB structure @@ -1354,10 +1358,6 @@ if($this->user_logged_in) { $aes = AESCrypt::singleton(AES_BITS, AES_BLOCKSIZE); - // See if we can get rid of the cached decrypted session key - $key_bin = hex2bin($this->sid); - $key_hash = sha1($key_bin . '::' . $this->private_key); - aes_decrypt_cache_destroy($key_hash); // Completely destroy our session if($this->auth_level > USER_LEVEL_CHPREF) { @@ -1811,8 +1811,6 @@ } } - $password = $aes->encrypt($password, $this->private_key, ENC_HEX); - // Require the account to be activated? switch(getConfig('account_activation')) { @@ -1836,7 +1834,7 @@ $actkey = sha1 ( microtime() . mt_rand() ); // We good, create the user - $this->sql('INSERT INTO '.table_prefix.'users ( username, password, email, real_name, theme, style, reg_time, account_active, activation_key, user_level, user_coppa, user_registration_ip ) VALUES ( \''.$username.'\', \''.$password.'\', \''.$email.'\', \''.$real_name.'\', \''.$template->default_theme.'\', \''.$template->default_style.'\', '.time().', '.$active.', \''.$actkey.'\', '.USER_LEVEL_CHPREF.', ' . $coppa_col . ', \'' . $ip . '\' );'); + $this->sql('INSERT INTO '.table_prefix.'users ( username, email, real_name, theme, style, reg_time, account_active, activation_key, user_level, user_coppa, user_registration_ip ) VALUES ( \''.$username.'\', \''.$email.'\', \''.$real_name.'\', \''.$template->default_theme.'\', \''.$template->default_style.'\', '.time().', '.$active.', \''.$actkey.'\', '.USER_LEVEL_CHPREF.', ' . $coppa_col . ', \'' . $ip . '\' );'); // Get user ID and create users_extra entry $q = $this->sql('SELECT user_id FROM '.table_prefix."users WHERE username='$username';"); @@ -1848,6 +1846,9 @@ $this->sql('INSERT INTO '.table_prefix.'users_extra(user_id) VALUES(' . $user_id . ');'); } + // Set the password + $this->set_password($user_id, $password); + // Config option added, 1.1.5 if ( getConfig('userpage_grant_acl', '1') == '1' ) { @@ -1879,8 +1880,8 @@ // Require the account to be activated? if ( $coppa ) { - $this->admin_activation_request($username); - $this->send_coppa_mail($username,$email); + $this->admin_activation_request($user_orig); + $this->send_coppa_mail($user_orig, $email); } else { @@ -1890,27 +1891,28 @@ default: break; case 'user': - $a = $this->send_activation_mail($username); + $a = $this->send_activation_mail($user_orig); if(!$a) { - $this->admin_activation_request($username); + $this->admin_activation_request($user_orig); return $lang->get('user_reg_err_actmail_failed') . ' ' . $a; } break; case 'admin': - $this->admin_activation_request($username); + $this->admin_activation_request($user_orig); break; } } // Leave some data behind for the hook - $code = $plugins->setHook('user_registered'); // , Array('username'=>$username)); + $code = $plugins->setHook('user_registered'); foreach ( $code as $cmd ) { eval($cmd); } - // $this->register_session($username, $password); + // Uncomment to automatically log the user in (WARNING: commented out for a reason - doesn't consider activation and other things) + // $this->register_session($user_orig, $password); return 'success'; } @@ -1924,9 +1926,6 @@ { global $db, $session, $paths, $template, $plugins; // Common objects global $lang; - $q = $this->sql('SELECT username,email FROM '.table_prefix.'users WHERE user_id=2 OR user_level=' . USER_LEVEL_ADMIN . ' ORDER BY user_id ASC;'); - $un = $db->fetchrow(); - $admin_user = $un['username']; $q = $this->sql('SELECT username,activation_key,account_active,email FROM '.table_prefix.'users WHERE username=\''.$db->escape($u).'\';'); $r = $db->fetchrow(); if ( empty($r['email']) ) @@ -1935,16 +1934,24 @@ $aklink = makeUrlComplete('Special', 'ActivateAccount/'.str_replace(' ', '_', $u).'/'. ( ( is_string($actkey) ) ? $actkey : $r['activation_key'] ) ); $message = $lang->get('user_reg_activation_email', array( 'activation_link' => $aklink, - 'admin_user' => $admin_user, 'username' => $u )); - if(getConfig('smtp_enabled') == '1') + if ( getConfig('smtp_enabled') == '1' ) { $result = smtp_send_email($r['email'], $lang->get('user_reg_activation_email_subject'), preg_replace("#(?get('user_reg_activation_email_subject'), preg_replace("#(?