diff -r 0ae1b281a884 -r af0f6ec48de3 includes/sessions.php --- a/includes/sessions.php Mon Sep 17 11:52:58 2007 -0400 +++ b/includes/sessions.php Tue Sep 18 00:30:43 2007 -0400 @@ -150,7 +150,8 @@ * @var string */ - var $valid_username = '([A-Za-z0-9 \!\@\(\)-]+)'; + //var $valid_username = '([A-Za-z0-9 \!\@\(\)-]+)'; + var $valid_username = '([^<>_&\?\'"%\n\r\t\a]+)'; /** * What we're allowed to do as far as permissions go. This changes based on the value of the "auth" URI param. @@ -576,10 +577,21 @@ // Initialize our success switch $success = false; + // Escaped username + $db_username = $this->prepare_text(strtolower($username)); + // Select the user data from the table, and decrypt that so we can verify the password - $this->sql('SELECT password,old_encryption,user_id,user_level,theme,style,temp_password,temp_password_time FROM '.table_prefix.'users WHERE lcase(username)=\''.$this->prepare_text(strtolower($username)).'\';'); + $this->sql('SELECT password,old_encryption,user_id,user_level,theme,style,temp_password,temp_password_time FROM '.table_prefix.'users WHERE lcase(username)=\''.$db_username.'\' OR username=\'' . $db_username . '\';'); if($db->numrows() < 1) - return 'The username and/or password is incorrect.'; + { + // This wasn't logged in <1.0.2, dunno how it slipped through + if($level > USER_LEVEL_MEMBER) + $this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary,page_text) VALUES(\'security\', \'admin_auth_bad\', '.time().', \''.date('d M Y h:i a').'\', \''.$db->escape($username).'\', \''.$db->escape($_SERVER['REMOTE_ADDR']).'\', ' . intval($level) . ')'); + else + $this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary) VALUES(\'security\', \'auth_bad\', '.time().', \''.date('d M Y h:i a').'\', \''.$db->escape($username).'\', \''.$db->escape($_SERVER['REMOTE_ADDR']).'\')'); + + return "The username and/or password is incorrect."; + } $row = $db->fetchrow(); // Check to see if we're logging in using a temporary password @@ -1392,24 +1404,51 @@ $username = $this->prepare_text($username); $email = $this->prepare_text($email); $real_name = $this->prepare_text($real_name); - $password = $aes->encrypt($password, $this->private_key, ENC_HEX); $nameclause = ( $real_name != '' ) ? ' OR real_name=\''.$real_name.'\'' : ''; $q = $this->sql('SELECT * FROM '.table_prefix.'users WHERE lcase(username)=\''.strtolower($username).'\' OR email=\''.$email.'\''.$nameclause.';'); - if($db->numrows() > 0) { + if($db->numrows() > 0) + { $r = 'The '; $i=0; $row = $db->fetchrow(); // Wow! An error checker that actually speaks English with the properest grammar! :-P - if($row['username'] == $username) { $r .= 'username'; $i++; } - if($row['email'] == $email) { if($i) $r.=', '; $r .= 'e-mail address'; $i++; } - if($row['real_name'] == $real_name && $real_name != '') { if($i) $r.=', and '; $r .= 'real name'; $i++; } + if ( $row['username'] == $username ) + { + $r .= 'username'; + $i++; + } + if ( $row['email'] == $email ) + { + if($i) $r.=', '; + $r .= 'e-mail address'; + $i++; + } + if ( $row['real_name'] == $real_name && $real_name != '' ) + { + if($i) $r.=', and '; + $r .= 'real name'; + $i++; + } $r .= ' that you entered '; $r .= ( $i == 1 ) ? 'is' : 'are'; $r .= ' already in use by another user.'; return $r; } + // Is the password strong enough? + if ( getConfig('pw_strength_enable') ) + { + $min_score = intval( getConfig('pw_strength_minimum') ); + $pass_score = password_score($password); + if ( $pass_score < $min_score ) + { + return 'The password you entered did not meet the complexity requirements for this site. Please choose a stronger password.'; + } + } + + $password = $aes->encrypt($password, $this->private_key, ENC_HEX); + // Require the account to be activated? switch(getConfig('account_activation')) {