diff --git a/src/etc/inc/authgui.inc b/src/etc/inc/authgui.inc index c212d017e..5eae174ef 100644 --- a/src/etc/inc/authgui.inc +++ b/src/etc/inc/authgui.inc @@ -1,33 +1,33 @@ - Copyright (C) 2005-2006 Bill Marquette - Copyright (C) 2006 Paul Taylor - Copyright (C) 2003-2006 Manuel Kasper - All rights reserved. + Copyright (C) 2008 Shrew Soft Inc + Copyright (C) 2007-2008 Scott Ullrich + Copyright (C) 2005-2006 Bill Marquette + Copyright (C) 2006 Paul Taylor + Copyright (C) 2003-2006 Manuel Kasper + All rights reserved. - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. */ require_once("auth.inc"); @@ -39,217 +39,224 @@ $priv_list = $acl->getLegacyPrivList(); function cmp_page_matches($page, & $matches, $fullwc = true) { - if (!is_array($matches)) - return false; + if (!is_array($matches)) { + return false; + } - /* skip any leading fwdslash */ - $test = strpos($page, "/"); - if ($test !== false && $test == 0) - $page = substr($page, 1); + /* skip any leading fwdslash */ + $test = strpos($page, "/"); + if ($test !== false && $test == 0) { + $page = substr($page, 1); + } - /* look for a match */ - foreach ($matches as $match) { + /* look for a match */ + foreach ($matches as $match) { + /* possibly ignore full wildcard match */ + if (!$fullwc && !strcmp($match ,"*")) + continue; - /* possibly ignore full wildcard match */ - if (!$fullwc && !strcmp($match ,"*")) - continue; + /* compare exact or wildcard match */ + $match = str_replace(array(".", "*","?"), array("\.", ".*","\?"), $match); + $result = preg_match("@^/{$match}$@", "/{$page}"); - /* compare exact or wildcard match */ - $match = str_replace(array(".", "*","?"), array("\.", ".*","\?"), $match); - $result = preg_match("@^/{$match}$@", "/{$page}"); + if ($result) { + return true; + } + } - if ($result) - return true; - } - - return false; + return false; } function isAllowedPage($page) { - if (session_status() == PHP_SESSION_NONE) { - session_start(); - } - if (!isset($_SESSION['Username'])) { - session_write_close(); - return false; - } + if (session_status() == PHP_SESSION_NONE) { + session_start(); + } + if (!isset($_SESSION['Username'])) { + session_write_close(); + return false; + } - /* root access check */ - $user = getUserEntry($_SESSION['Username']); - session_write_close(); - if (isset($user)) { - if (isset($user['uid'])) { - if ($user['uid'] == 0) { - return true; - } - } - } + /* root access check */ + $user = getUserEntry($_SESSION['Username']); + session_write_close(); + if (isset($user)) { + if (isset($user['uid'])) { + if ($user['uid'] == 0) { + return true; + } + } + } - /* user privelege access check */ - $allowedpages = getAllowedPages($_SESSION['Username']); - return cmp_page_matches($page, $allowedpages); + /* user privelege access check */ + $allowedpages = getAllowedPages($_SESSION['Username']); + return cmp_page_matches($page, $allowedpages); } function getPrivPages(& $entry, & $allowed_pages) { - global $priv_list; + global $priv_list; - if (!isset($entry['priv']) || !is_array($entry['priv'])) - return; + if (!isset($entry['priv']) || !is_array($entry['priv'])) { + return; + } - foreach ($entry['priv'] as $pname) { - if (strncmp($pname, "page-", 5)) - continue; - $priv = &$priv_list[$pname]; - if (!is_array($priv)) - continue; - $matches = &$priv['match']; - if (!is_array($matches)) - continue; - foreach ($matches as $match) - $allowed_pages[] = $match; - } + foreach ($entry['priv'] as $pname) { + if (strncmp($pname, "page-", 5)) { + continue; + } + $priv = &$priv_list[$pname]; + if (!is_array($priv)) { + continue; + } + $matches = &$priv['match']; + if (!is_array($matches)) { + continue; + } + foreach ($matches as $match) { + $allowed_pages[] = $match; + } + } } function getAllowedPages($username) { - global $config; + global $config; - $allowed_pages = array(); - $allowed_groups = array(); + $allowed_pages = array(); + $allowed_groups = array(); - // search for a local user by name - $local_user = getUserEntry($username); - getPrivPages($local_user, $allowed_pages); + // search for a local user by name + $local_user = getUserEntry($username); + getPrivPages($local_user, $allowed_pages); - // obtain local groups if we have a local user - $allowed_groups = local_user_get_groups($local_user); + // obtain local groups if we have a local user + $allowed_groups = local_user_get_groups($local_user); - // build a list of allowed pages - if (is_array($config['system']['group']) && is_array($allowed_groups)) { - foreach ($config['system']['group'] as $group) { - // a bit odd, we have seem some cases in the wild where $group doesn't contain a name attribute. - // this shouldn't happen, but to avoid warnings we will check over here. - if (isset($group['name']) && in_array($group['name'], $allowed_groups)) { - getPrivPages($group, $allowed_pages); - } - } - } + // build a list of allowed pages + if (is_array($config['system']['group']) && is_array($allowed_groups)) { + foreach ($config['system']['group'] as $group) { + // a bit odd, we have seem some cases in the wild where $group doesn't contain a name attribute. + // this shouldn't happen, but to avoid warnings we will check over here. + if (isset($group['name']) && in_array($group['name'], $allowed_groups)) { + getPrivPages($group, $allowed_pages); + } + } + } - return $allowed_pages; + return $allowed_pages; } function session_auth(&$Login_Error) { - global $config, $_SESSION; + global $config, $_SESSION; - // Handle HTTPS httponly and secure flags - $currentCookieParams = session_get_cookie_params(); - session_set_cookie_params( - $currentCookieParams["lifetime"], - $currentCookieParams["path"], - NULL, - ($config['system']['webgui']['protocol'] == "https"), - true - ); + // Handle HTTPS httponly and secure flags + $currentCookieParams = session_get_cookie_params(); + session_set_cookie_params( + $currentCookieParams["lifetime"], + $currentCookieParams["path"], + NULL, + ($config['system']['webgui']['protocol'] == "https"), + true + ); - if (session_status() == PHP_SESSION_NONE) { - session_start(); - } + if (session_status() == PHP_SESSION_NONE) { + session_start(); + } - // Detect protocol change - if (!isset($_POST['login']) && !empty($_SESSION['Logged_In']) && $_SESSION['protocol'] != $config['system']['webgui']['protocol']) { - session_write_close(); - return false; - } + // Detect protocol change + if (!isset($_POST['login']) && !empty($_SESSION['Logged_In']) && $_SESSION['protocol'] != $config['system']['webgui']['protocol']) { + session_write_close(); + return false; + } - /* Validate incoming login request */ - if (isset($_POST['login']) && !empty($_POST['usernamefld']) && !empty($_POST['passwordfld'])) { - if (isset($config['system']['webgui']['authmode'])) { - $authcfg = auth_get_authserver($config['system']['webgui']['authmode']); - } else { - $authcfg = null; - } - // authenticate using config settings, or local if failed - if (authenticate_user($_POST['usernamefld'], $_POST['passwordfld'], $authcfg) || - authenticate_user($_POST['usernamefld'], $_POST['passwordfld'])) { - // Generate a new id to avoid session fixation - session_regenerate_id(); - $_SESSION['Logged_In'] = "True"; - $_SESSION['Username'] = $_POST['usernamefld']; - $_SESSION['last_access'] = time(); - $_SESSION['protocol'] = $config['system']['webgui']['protocol']; - if (!isset($config['system']['webgui']['quietlogin'])) { - log_error(sprintf(gettext("Successful login for user '%1\$s' from: %2\$s"), $_POST['usernamefld'], $_SERVER['REMOTE_ADDR'])); - } - header("Location: {$_SERVER['REQUEST_URI']}"); - exit; - } else { - /* give the user an error message */ - $Login_Error = gettext('Wrong username or password.'); - log_error("webConfigurator authentication error for '{$_POST['usernamefld']}' from {$_SERVER['REMOTE_ADDR']}"); - } - } + /* Validate incoming login request */ + if (isset($_POST['login']) && !empty($_POST['usernamefld']) && !empty($_POST['passwordfld'])) { + if (isset($config['system']['webgui']['authmode'])) { + $authcfg = auth_get_authserver($config['system']['webgui']['authmode']); + } else { + $authcfg = null; + } + // authenticate using config settings, or local if failed + if (authenticate_user($_POST['usernamefld'], $_POST['passwordfld'], $authcfg) || + authenticate_user($_POST['usernamefld'], $_POST['passwordfld'])) { + // Generate a new id to avoid session fixation + session_regenerate_id(); + $_SESSION['Logged_In'] = "True"; + $_SESSION['Username'] = $_POST['usernamefld']; + $_SESSION['last_access'] = time(); + $_SESSION['protocol'] = $config['system']['webgui']['protocol']; + if (!isset($config['system']['webgui']['quietlogin'])) { + log_error(sprintf(gettext("Successful login for user '%1\$s' from: %2\$s"), $_POST['usernamefld'], $_SERVER['REMOTE_ADDR'])); + } + header("Location: {$_SERVER['REQUEST_URI']}"); + exit; + } else { + /* give the user an error message */ + $Login_Error = gettext('Wrong username or password.'); + log_error("webConfigurator authentication error for '{$_POST['usernamefld']}' from {$_SERVER['REMOTE_ADDR']}"); + } + } - /* Show login page if they aren't logged in */ - if (empty($_SESSION['Logged_In'])) { - session_write_close(); - return false; - } + /* Show login page if they aren't logged in */ + if (empty($_SESSION['Logged_In'])) { + session_write_close(); + return false; + } - /* If session timeout isn't set, we don't mark sessions stale */ - if (!isset($config['system']['webgui']['session_timeout'])) { - /* Default to 4 hour timeout if one is not set */ - if ($_SESSION['last_access'] < (time() - 14400)) { - $_GET['logout'] = true; - $_SESSION['Logout'] = true; - } else { - $_SESSION['last_access'] = time(); - } - } else if (intval($config['system']['webgui']['session_timeout']) == 0) { - $_SESSION['last_access'] = time(); - } else { - /* Check for stale session */ - if ($_SESSION['last_access'] < (time() - ($config['system']['webgui']['session_timeout'] * 60))) { - $_GET['logout'] = true; - $_SESSION['Logout'] = true; - } else { - $_SESSION['last_access'] = time(); - } - } + /* If session timeout isn't set, we don't mark sessions stale */ + if (!isset($config['system']['webgui']['session_timeout'])) { + /* Default to 4 hour timeout if one is not set */ + if ($_SESSION['last_access'] < (time() - 14400)) { + $_GET['logout'] = true; + $_SESSION['Logout'] = true; + } else { + $_SESSION['last_access'] = time(); + } + } else if (intval($config['system']['webgui']['session_timeout']) == 0) { + $_SESSION['last_access'] = time(); + } else { + /* Check for stale session */ + if ($_SESSION['last_access'] < (time() - ($config['system']['webgui']['session_timeout'] * 60))) { + $_GET['logout'] = true; + $_SESSION['Logout'] = true; + } else { + $_SESSION['last_access'] = time(); + } + } - /* user hit the logout button */ - if (isset($_GET['logout'])) { - if (isset($_SESSION['Logout'])) { - log_error(sprintf(gettext("Session timed out for user '%1\$s' from: %2\$s"), $_SESSION['Username'], $_SERVER['REMOTE_ADDR'])); - } else { - log_error(sprintf(gettext("User logged out for user '%1\$s' from: %2\$s"), $_SESSION['Username'], $_SERVER['REMOTE_ADDR'])); - } + /* user hit the logout button */ + if (isset($_GET['logout'])) { + if (isset($_SESSION['Logout'])) { + log_error(sprintf(gettext("Session timed out for user '%1\$s' from: %2\$s"), $_SESSION['Username'], $_SERVER['REMOTE_ADDR'])); + } else { + log_error(sprintf(gettext("User logged out for user '%1\$s' from: %2\$s"), $_SESSION['Username'], $_SERVER['REMOTE_ADDR'])); + } - /* wipe out $_SESSION */ - $_SESSION = array(); + /* wipe out $_SESSION */ + $_SESSION = array(); - if (isset($_COOKIE[session_name()])) { - setcookie(session_name(), '', time()-42000, '/'); - } + if (isset($_COOKIE[session_name()])) { + setcookie(session_name(), '', time()-42000, '/'); + } - /* and destroy it */ - session_destroy(); + /* and destroy it */ + session_destroy(); - $scriptName = explode("/", $_SERVER["SCRIPT_FILENAME"]); - $scriptElms = count($scriptName); - $scriptName = $scriptName[$scriptElms-1]; + $scriptName = explode("/", $_SERVER["SCRIPT_FILENAME"]); + $scriptElms = count($scriptName); + $scriptName = $scriptName[$scriptElms-1]; - /* redirect to page the user is on, it'll prompt them to login again */ - header("Location: {$scriptName}"); - exit; - } + /* redirect to page the user is on, it'll prompt them to login again */ + header("Location: {$scriptName}"); + exit; + } - session_write_close(); - return true; + session_write_close(); + return true; } $Login_Error = ''; @@ -296,35 +303,35 @@ function display_error_form($http_code, $desc) - + - - + + - - - - - + + + + + - <?=$http_code?> + <?=$http_code?> - - + + - - - - - + + + + + - + - - + + - - - - - + + + + + - <?=gettext("Login"); ?> + <?=gettext("Login"); ?> - - + + - + - - + + -
- +
')); } @@ -394,49 +401,49 @@ function display_login_form($Login_Error = '') ?> -
- +
+ - -
- +
+ -
+ - - + +