Upgrade UI should work now (upgrades still don't work); do not pull this revision as there is a security hole in the lockout system pending a fix
authorDan
Sun, 07 Oct 2007 21:41:42 -0400
changeset 181 06bdbdfec160
parent 180 c63c5ee6c6d6
child 182 c69730750be3
Upgrade UI should work now (upgrades still don't work); do not pull this revision as there is a security hole in the lockout system pending a fix
includes/sessions.php
upgrade.php
--- a/includes/sessions.php	Sun Oct 07 21:31:14 2007 -0400
+++ b/includes/sessions.php	Sun Oct 07 21:41:42 2007 -0400
@@ -557,40 +557,43 @@
     global $db, $session, $paths, $template, $plugins; // Common objects
     
     $privcache = $this->private_key;
-    
-    // Lockout stuff
-    $threshold = ( $_ = getConfig('lockout_threshold') ) ? intval($_) : 5;
-    $duration  = ( $_ = getConfig('lockout_duration') ) ? intval($_) : 15;
-    // convert to minutes
-    $duration  = $duration * 60;
-    $policy = ( $x = getConfig('lockout_policy') && in_array(getConfig('lockout_policy'), array('lockout', 'disable', 'captcha')) ) ? getConfig('lockout_policy') : 'lockout';
-    if ( $policy == 'captcha' && $captcha_hash && $captcha_code )
-    {
-      // policy is captcha -- check if it's correct, and if so, bypass lockout check
-      $real_code = $this->get_captcha($captcha_hash);
-    }
-    if ( $policy != 'disable' && !( $policy == 'captcha' && isset($real_code) && $real_code == $captcha_code ) )
+
+    if ( !defined('IN_ENANO_INSTALL') )
     {
-      $ipaddr = $db->escape($_SERVER['REMOTE_ADDR']);
-      $timestamp_cutoff = time() - $duration;
-      $q = $this->sql('SELECT timestamp FROM '.table_prefix.'lockout WHERE timestamp > ' . $timestamp_cutoff . ' AND ipaddr = \'' . $ipaddr . '\' ORDER BY timestamp DESC;');
-      $fails = $db->numrows();
-      if ( $fails > $threshold )
+      // Lockout stuff
+      $threshold = ( $_ = getConfig('lockout_threshold') ) ? intval($_) : 5;
+      $duration  = ( $_ = getConfig('lockout_duration') ) ? intval($_) : 15;
+      // convert to minutes
+      $duration  = $duration * 60;
+      $policy = ( $x = getConfig('lockout_policy') && in_array(getConfig('lockout_policy'), array('lockout', 'disable', 'captcha')) ) ? getConfig('lockout_policy') : 'lockout';
+      if ( $policy == 'captcha' && $captcha_hash && $captcha_code )
+      {
+        // policy is captcha -- check if it's correct, and if so, bypass lockout check
+        $real_code = $this->get_captcha($captcha_hash);
+      }
+      if ( $policy != 'disable' && !( $policy == 'captcha' && isset($real_code) && $real_code == $captcha_code ) )
       {
-        // ooh boy, somebody's in trouble ;-)
-        $row = $db->fetchrow();
+        $ipaddr = $db->escape($_SERVER['REMOTE_ADDR']);
+        $timestamp_cutoff = time() - $duration;
+        $q = $this->sql('SELECT timestamp FROM '.table_prefix.'lockout WHERE timestamp > ' . $timestamp_cutoff . ' AND ipaddr = \'' . $ipaddr . '\' ORDER BY timestamp DESC;');
+        $fails = $db->numrows();
+        if ( $fails > $threshold )
+        {
+          // ooh boy, somebody's in trouble ;-)
+          $row = $db->fetchrow();
+          $db->free_result();
+          return array(
+              'success' => false,
+              'error' => 'locked_out',
+              'lockout_threshold' => $threshold,
+              'lockout_duration' => ( $duration / 60 ),
+              'lockout_fails' => $fails,
+              'lockout_policy' => $policy,
+              'lockout_last_time' => $row['timestamp']
+            );
+        }
         $db->free_result();
-        return array(
-            'success' => false,
-            'error' => 'locked_out',
-            'lockout_threshold' => $threshold,
-            'lockout_duration' => ( $duration / 60 ),
-            'lockout_fails' => $fails,
-            'lockout_policy' => $policy,
-            'lockout_last_time' => $row['timestamp']
-          );
       }
-      $db->free_result();
     }
     
     // Instanciate the Rijndael encryption object
@@ -633,8 +636,8 @@
         $this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary,page_text) VALUES(\'security\', \'admin_auth_bad\', '.time().', \''.date('d M Y h:i a').'\', \''.$db->escape($username).'\', \''.$db->escape($_SERVER['REMOTE_ADDR']).'\', ' . intval($level) . ')');
       else
         $this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary) VALUES(\'security\', \'auth_bad\', '.time().', \''.date('d M Y h:i a').'\', \''.$db->escape($username).'\', \''.$db->escape($_SERVER['REMOTE_ADDR']).'\')');
-      
-      if ( $policy != 'disable' )
+    
+      if ( $policy != 'disable' && !defined('IN_ENANO_INSTALL') )
       {
         $ipaddr = $db->escape($_SERVER['REMOTE_ADDR']);
         // increment fail count
@@ -746,7 +749,7 @@
         $this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary) VALUES(\'security\', \'auth_bad\', '.time().', \''.date('d M Y h:i a').'\', \''.$db->escape($username).'\', \''.$db->escape($_SERVER['REMOTE_ADDR']).'\')');
         
       // Do we also need to increment the lockout countdown?
-      if ( $policy != 'disable' )
+      if ( $policy != 'disable' && !defined('IN_ENANO_INSTALL') )
       {
         $ipaddr = $db->escape($_SERVER['REMOTE_ADDR']);
         // increment fail count
@@ -791,39 +794,42 @@
       return $this->login_compat($username, $pass_hashed, $level);
     }
     
-    // Lockout stuff
-    $threshold = ( $_ = getConfig('lockout_threshold') ) ? intval($_) : 5;
-    $duration  = ( $_ = getConfig('lockout_duration') ) ? intval($_) : 15;
-    // convert to minutes
-    $duration  = $duration * 60;
-    $policy = ( $x = getConfig('lockout_policy') && in_array(getConfig('lockout_policy'), array('lockout', 'disable', 'captcha')) ) ? getConfig('lockout_policy') : 'lockout';
-    if ( $policy == 'captcha' && $captcha_hash && $captcha_code )
-    {
-      // policy is captcha -- check if it's correct, and if so, bypass lockout check
-      $real_code = $this->get_captcha($captcha_hash);
-    }
-    if ( $policy != 'disable' && !( $policy == 'captcha' && isset($real_code) && $real_code == $captcha_code ) )
+    if ( !defined('IN_ENANO_INSTALL') )
     {
-      $ipaddr = $db->escape($_SERVER['REMOTE_ADDR']);
-      $timestamp_cutoff = time() - $duration;
-      $q = $this->sql('SELECT timestamp FROM '.table_prefix.'lockout WHERE timestamp > ' . $timestamp_cutoff . ' AND ipaddr = \'' . $ipaddr . '\' ORDER BY timestamp DESC;');
-      $fails = $db->numrows();
-      if ( $fails > $threshold )
+      // Lockout stuff
+      $threshold = ( $_ = getConfig('lockout_threshold') ) ? intval($_) : 5;
+      $duration  = ( $_ = getConfig('lockout_duration') ) ? intval($_) : 15;
+      // convert to minutes
+      $duration  = $duration * 60;
+      $policy = ( $x = getConfig('lockout_policy') && in_array(getConfig('lockout_policy'), array('lockout', 'disable', 'captcha')) ) ? getConfig('lockout_policy') : 'lockout';
+      if ( $policy == 'captcha' && $captcha_hash && $captcha_code )
+      {
+        // policy is captcha -- check if it's correct, and if so, bypass lockout check
+        $real_code = $this->get_captcha($captcha_hash);
+      }
+      if ( $policy != 'disable' && !( $policy == 'captcha' && isset($real_code) && $real_code == $captcha_code ) )
       {
-        // ooh boy, somebody's in trouble ;-)
-        $row = $db->fetchrow();
+        $ipaddr = $db->escape($_SERVER['REMOTE_ADDR']);
+        $timestamp_cutoff = time() - $duration;
+        $q = $this->sql('SELECT timestamp FROM '.table_prefix.'lockout WHERE timestamp > ' . $timestamp_cutoff . ' AND ipaddr = \'' . $ipaddr . '\' ORDER BY timestamp DESC;');
+        $fails = $db->numrows();
+        if ( $fails > $threshold )
+        {
+          // ooh boy, somebody's in trouble ;-)
+          $row = $db->fetchrow();
+          $db->free_result();
+          return array(
+              'success' => false,
+              'error' => 'locked_out',
+              'lockout_threshold' => $threshold,
+              'lockout_duration' => ( $duration / 60 ),
+              'lockout_fails' => $fails,
+              'lockout_policy' => $policy,
+              'lockout_last_time' => $row['timestamp']
+            );
+        }
         $db->free_result();
-        return array(
-            'success' => false,
-            'error' => 'locked_out',
-            'lockout_threshold' => $threshold,
-            'lockout_duration' => ( $duration / 60 ),
-            'lockout_fails' => $fails,
-            'lockout_policy' => $policy,
-            'lockout_last_time' => $row['timestamp']
-          );
       }
-      $db->free_result();
     }
     
     // Instanciate the Rijndael encryption object
@@ -843,7 +849,7 @@
         $this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary) VALUES(\'security\', \'auth_bad\', '.time().', \''.date('d M Y h:i a').'\', \''.$db->escape($username).'\', \''.$db->escape($_SERVER['REMOTE_ADDR']).'\')');
       
       // Do we also need to increment the lockout countdown?
-      if ( $policy != 'disable' )
+      if ( $policy != 'disable' && !defined('IN_ENANO_INSTALL') )
       {
         $ipaddr = $db->escape($_SERVER['REMOTE_ADDR']);
         // increment fail count
@@ -948,7 +954,7 @@
         $this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary) VALUES(\'security\', \'auth_bad\', '.time().', \''.date('d M Y h:i a').'\', \''.$db->escape($username).'\', \''.$db->escape($_SERVER['REMOTE_ADDR']).'\')');
         
       // Do we also need to increment the lockout countdown?
-      if ( $policy != 'disable' )
+      if ( $policy != 'disable' && !defined('IN_ENANO_INSTALL') )
       {
         $ipaddr = $db->escape($_SERVER['REMOTE_ADDR']);
         // increment fail count
--- a/upgrade.php	Sun Oct 07 21:31:14 2007 -0400
+++ b/upgrade.php	Sun Oct 07 21:41:42 2007 -0400
@@ -447,7 +447,7 @@
     {
       if(isset($_POST['login']))
       {
-        $session->login_without_crypto($_POST['username'], $_POST['password'], false, $ul_admin);
+        $result = $session->login_without_crypto($_POST['username'], $_POST['password'], false, $ul_admin);
         if($session->sid_super)
         {
           header('Location: upgrade.php?mode=welcome&auth='.$session->sid_super);
@@ -464,7 +464,7 @@
         <?php
         if(isset($_POST['login']))
         {
-          echo '<tr><td colspan="2"><p style="color: red;">Login failed. Bad password?</p></td></tr>';
+          echo '<tr><td colspan="2"><p style="color: red;">Login failed: '. $result['error'] . '</p></td></tr>';
         }
         ?>
         <tr>