From b3ca46af8c5a890f27afee3765f8db5b74fcb4eb Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Wed, 8 Jul 2015 16:20:57 +0000
Subject: [PATCH] (legacy) cleanups related to auth.inc (remove unused, move
 single usage, isset issues)

---
 src/etc/inc/auth.inc    | 157 ++--------------------------------------
 src/etc/inc/authgui.inc | 118 ++++++++++++++++++++++++++++++
 src/www/xmlrpc.php      |  19 +++++
 3 files changed, 142 insertions(+), 152 deletions(-)

diff --git a/src/etc/inc/auth.inc b/src/etc/inc/auth.inc
index 1d89a8933..e7408ec76 100644
--- a/src/etc/inc/auth.inc
+++ b/src/etc/inc/auth.inc
@@ -335,7 +335,7 @@ function local_sync_accounts()
 	if ($fd) {
 		while (!feof($fd)) {
 			$line = explode(':',fgets($fd));
-			if (((!strncmp($line[0], '_', 1)) || ($line[2] < 2000) || ($line[2] > 65000))) {
+			if ( count($line) < 3 ||  !strncmp($line[0], '_', 1) || $line[2] < 2000 || $line[2] > 65000) {
 				continue;
 			}
 			/*
@@ -354,13 +354,7 @@ function local_sync_accounts()
 	if ($fd) {
 		while (!feof($fd)) {
 			$line = explode(':',fgets($fd));
-			if (!strncmp($line[0], '_', 1)) {
-				continue;
-			}
-			if ($line[2] < 2000) {
-				continue;
-			}
-			if ($line[2] > 65000) {
+			if (count($line) < 3 || !strncmp($line[0], '_', 1) || $line[2] < 2000 || $line[2] > 65000 ) {
 				continue;
 			}
 			mwexecf('/usr/sbin/pw groupdel %s', $line[2]);
@@ -1186,17 +1180,10 @@ function radius_backed($username, $passwd, $authcfg, &$attributes = array())
 	return $ret;
 }
 
-function get_user_expiration_date($username) {
-	$user = getUserEntry($username);
-	if (isset($user['expires'])) {
-		return $user['expires'];
-	}
-}
-
 function is_account_expired($username) {
-	$expirydate = get_user_expiration_date($username);
-	if ($expirydate) {
-		if (strtotime("-1 day") > strtotime(date("m/d/Y",strtotime($expirydate))))
+	$user = getUserEntry($username);
+	if (isset($user['expires']) && !empty($user['expires'])) {
+		if (strtotime("-1 day") > strtotime(date("m/d/Y",strtotime($user['expires']))))
 			return true;
 	}
 
@@ -1296,138 +1283,4 @@ function authenticate_user($username, $password, $authcfg = NULL, &$attributes =
 	return $authenticated;
 }
 
-function session_auth() {
-	global $config, $_SESSION;
 
-	// Handle HTTPS httponly and secure flags
-	$currentCookieParams = session_get_cookie_params();
-	session_set_cookie_params(
-		$currentCookieParams["lifetime"],
-		$currentCookieParams["path"],
-		NULL,
-		($config['system']['webgui']['protocol'] == "https"),
-		true
-	);
-
-	if (session_status() == PHP_SESSION_NONE) {
-		session_start();
-	}
-
-	// Detect protocol change
-	if (!isset($_POST['login']) && !empty($_SESSION['Logged_In']) && $_SESSION['protocol'] != $config['system']['webgui']['protocol'])
-		return false;
-
-	/* Validate incoming login request */
-	if (isset($_POST['login']) && !empty($_POST['usernamefld']) && !empty($_POST['passwordfld'])) {
-		if (isset($config['system']['webgui']['authmode'])) {
-			$authcfg = auth_get_authserver($config['system']['webgui']['authmode']);
-		} else {
-			$authcfg = null;
-		}
-		if (authenticate_user($_POST['usernamefld'], $_POST['passwordfld'], $authcfg) ||
-		    authenticate_user($_POST['usernamefld'], $_POST['passwordfld'])) {
-			// Generate a new id to avoid session fixation
-			session_regenerate_id();
-			$_SESSION['Logged_In'] = "True";
-			$_SESSION['Username'] = $_POST['usernamefld'];
-			$_SESSION['last_access'] = time();
-			$_SESSION['protocol'] = $config['system']['webgui']['protocol'];
-			if (!isset($config['system']['webgui']['quietlogin'])) {
-				log_error(sprintf(gettext("Successful login for user '%1\$s' from: %2\$s"), $_POST['usernamefld'], $_SERVER['REMOTE_ADDR']));
-			}
-			if (isset($_POST['postafterlogin']))
-				return true;
-			else {
-				header("Location: {$_SERVER['REQUEST_URI']}");
-			}
-			exit;
-		} else {
-			/* give the user an error message */
-			$_SESSION['Login_Error'] = _('Wrong username or password.');
-			log_error("webConfigurator authentication error for '{$_POST['usernamefld']}' from {$_SERVER['REMOTE_ADDR']}");
-			if (isAjax()) {
-				echo "showajaxmessage('{$_SESSION['Login_Error']}');";
-				return;
-			}
-		}
-	}
-
-	/* Show login page if they aren't logged in */
-	if (empty($_SESSION['Logged_In']))
-		return false;
-
-	/* If session timeout isn't set, we don't mark sessions stale */
-	if (!isset($config['system']['webgui']['session_timeout'])) {
-		/* Default to 4 hour timeout if one is not set */
-		if ($_SESSION['last_access'] < (time() - 14400)) {
-			$_GET['logout'] = true;
-			$_SESSION['Logout'] = true;
-		} else
-			$_SESSION['last_access'] = time();
-	} else if (intval($config['system']['webgui']['session_timeout']) == 0) {
-		/* only update if it wasn't ajax */
-		if (!isAjax())
-			$_SESSION['last_access'] = time();
-	} else {
-		/* Check for stale session */
-		if ($_SESSION['last_access'] < (time() - ($config['system']['webgui']['session_timeout'] * 60))) {
-			$_GET['logout'] = true;
-			$_SESSION['Logout'] = true;
-		} else {
-			/* only update if it wasn't ajax */
-			if (!isAjax())
-				$_SESSION['last_access'] = time();
-		}
-	}
-
-	/* user hit the logout button */
-	if (isset($_GET['logout'])) {
-
-		if ($_SESSION['Logout'])
-			log_error(sprintf(gettext("Session timed out for user '%1\$s' from: %2\$s"), $_SESSION['Username'], $_SERVER['REMOTE_ADDR']));
-		else
-			log_error(sprintf(gettext("User logged out for user '%1\$s' from: %2\$s"), $_SESSION['Username'], $_SERVER['REMOTE_ADDR']));
-
-		/* wipe out $_SESSION */
-		$_SESSION = array();
-
-		if (isset($_COOKIE[session_name()]))
-			setcookie(session_name(), '', time()-42000, '/');
-
-		/* and destroy it */
-		session_destroy();
-
-		$scriptName = explode("/", $_SERVER["SCRIPT_FILENAME"]);
-		$scriptElms = count($scriptName);
-		$scriptName = $scriptName[$scriptElms-1];
-
-		if (isAjax())
-			return false;
-
-		/* redirect to page the user is on, it'll prompt them to login again */
-		header("Location: {$scriptName}");
-
-		return false;
-	}
-
-	return true;
-}
-
-/**
- * do a basic authentication, uses $_SERVER['HTTP_AUTHORIZATION'] to validate user.
- * @param $http_auth_header http_authorization header content
- * @return bool
- */
-function http_basic_auth($http_auth_header)
-{
-    $tags=explode(" ", $http_auth_header) ;
-    if (count($tags) >= 2) {
-        $userinfo= explode(":", base64_decode($tags[1])) ;
-        if (count($userinfo)>=2) {
-            return authenticate_user($userinfo[0], $userinfo[1]);
-        }
-    }
-
-    // not authenticated
-    return false;
-}
diff --git a/src/etc/inc/authgui.inc b/src/etc/inc/authgui.inc
index 761d5ff49..4b12064fc 100644
--- a/src/etc/inc/authgui.inc
+++ b/src/etc/inc/authgui.inc
@@ -32,6 +32,124 @@
 include_once("auth.inc");
 include_once("priv.inc");
 
+function session_auth() {
+	global $config, $_SESSION;
+
+	// Handle HTTPS httponly and secure flags
+	$currentCookieParams = session_get_cookie_params();
+	session_set_cookie_params(
+		$currentCookieParams["lifetime"],
+		$currentCookieParams["path"],
+		NULL,
+		($config['system']['webgui']['protocol'] == "https"),
+		true
+	);
+
+	if (session_status() == PHP_SESSION_NONE) {
+		session_start();
+	}
+
+	// Detect protocol change
+	if (!isset($_POST['login']) && !empty($_SESSION['Logged_In']) && $_SESSION['protocol'] != $config['system']['webgui']['protocol'])
+		return false;
+
+	/* Validate incoming login request */
+	if (isset($_POST['login']) && !empty($_POST['usernamefld']) && !empty($_POST['passwordfld'])) {
+		if (isset($config['system']['webgui']['authmode'])) {
+			$authcfg = auth_get_authserver($config['system']['webgui']['authmode']);
+		} else {
+			$authcfg = null;
+		}
+		if (authenticate_user($_POST['usernamefld'], $_POST['passwordfld'], $authcfg) ||
+		    authenticate_user($_POST['usernamefld'], $_POST['passwordfld'])) {
+			// Generate a new id to avoid session fixation
+			session_regenerate_id();
+			$_SESSION['Logged_In'] = "True";
+			$_SESSION['Username'] = $_POST['usernamefld'];
+			$_SESSION['last_access'] = time();
+			$_SESSION['protocol'] = $config['system']['webgui']['protocol'];
+			if (!isset($config['system']['webgui']['quietlogin'])) {
+				log_error(sprintf(gettext("Successful login for user '%1\$s' from: %2\$s"), $_POST['usernamefld'], $_SERVER['REMOTE_ADDR']));
+			}
+			if (isset($_POST['postafterlogin']))
+				return true;
+			else {
+				header("Location: {$_SERVER['REQUEST_URI']}");
+			}
+			exit;
+		} else {
+			/* give the user an error message */
+			$_SESSION['Login_Error'] = _('Wrong username or password.');
+			log_error("webConfigurator authentication error for '{$_POST['usernamefld']}' from {$_SERVER['REMOTE_ADDR']}");
+			if (isAjax()) {
+				echo "showajaxmessage('{$_SESSION['Login_Error']}');";
+				return;
+			}
+		}
+	}
+
+	/* Show login page if they aren't logged in */
+	if (empty($_SESSION['Logged_In']))
+		return false;
+
+	/* If session timeout isn't set, we don't mark sessions stale */
+	if (!isset($config['system']['webgui']['session_timeout'])) {
+		/* Default to 4 hour timeout if one is not set */
+		if ($_SESSION['last_access'] < (time() - 14400)) {
+			$_GET['logout'] = true;
+			$_SESSION['Logout'] = true;
+		} else
+			$_SESSION['last_access'] = time();
+	} else if (intval($config['system']['webgui']['session_timeout']) == 0) {
+		/* only update if it wasn't ajax */
+		if (!isAjax())
+			$_SESSION['last_access'] = time();
+	} else {
+		/* Check for stale session */
+		if ($_SESSION['last_access'] < (time() - ($config['system']['webgui']['session_timeout'] * 60))) {
+			$_GET['logout'] = true;
+			$_SESSION['Logout'] = true;
+		} else {
+			/* only update if it wasn't ajax */
+			if (!isAjax())
+				$_SESSION['last_access'] = time();
+		}
+	}
+
+	/* user hit the logout button */
+	if (isset($_GET['logout'])) {
+
+		if ($_SESSION['Logout'])
+			log_error(sprintf(gettext("Session timed out for user '%1\$s' from: %2\$s"), $_SESSION['Username'], $_SERVER['REMOTE_ADDR']));
+		else
+			log_error(sprintf(gettext("User logged out for user '%1\$s' from: %2\$s"), $_SESSION['Username'], $_SERVER['REMOTE_ADDR']));
+
+		/* wipe out $_SESSION */
+		$_SESSION = array();
+
+		if (isset($_COOKIE[session_name()]))
+			setcookie(session_name(), '', time()-42000, '/');
+
+		/* and destroy it */
+		session_destroy();
+
+		$scriptName = explode("/", $_SERVER["SCRIPT_FILENAME"]);
+		$scriptElms = count($scriptName);
+		$scriptName = $scriptName[$scriptElms-1];
+
+		if (isAjax())
+			return false;
+
+		/* redirect to page the user is on, it'll prompt them to login again */
+		header("Location: {$scriptName}");
+
+		return false;
+	}
+
+	return true;
+}
+
+
 /* Authenticate user - exit if failed */
 if (!session_auth()) {
     display_login_form();
diff --git a/src/www/xmlrpc.php b/src/www/xmlrpc.php
index ac092ffde..dcb642260 100644
--- a/src/www/xmlrpc.php
+++ b/src/www/xmlrpc.php
@@ -29,6 +29,25 @@
 require_once("xmlrpc.inc");
 require_once("auth.inc");
 
+/**
+ * do a basic authentication, uses $_SERVER['HTTP_AUTHORIZATION'] to validate user.
+ * @param $http_auth_header http_authorization header content
+ * @return bool
+ */
+function http_basic_auth($http_auth_header)
+{
+    $tags=explode(" ", $http_auth_header) ;
+    if (count($tags) >= 2) {
+        $userinfo= explode(":", base64_decode($tags[1])) ;
+        if (count($userinfo)>=2) {
+            return authenticate_user($userinfo[0], $userinfo[1]);
+        }
+    }
+
+    // not authenticated
+    return false;
+}
+
 
 /**
  *   Simple XML-RPC server using IXR_Library