diff options
| author | Meik Sievertsen <acydburn@phpbb.com> | 2007-10-03 17:47:58 +0000 |
|---|---|---|
| committer | Meik Sievertsen <acydburn@phpbb.com> | 2007-10-03 17:47:58 +0000 |
| commit | 7a942662d95775dc7a538bfe6346e7927cce082a (patch) | |
| tree | a0c43447fe8ffe7f5ee6190afb81b002460d61ee | |
| parent | cfe004f2a28fbfcd194f73d2e4abf146fcf87ac9 (diff) | |
| download | forums-7a942662d95775dc7a538bfe6346e7927cce082a.tar forums-7a942662d95775dc7a538bfe6346e7927cce082a.tar.gz forums-7a942662d95775dc7a538bfe6346e7927cce082a.tar.bz2 forums-7a942662d95775dc7a538bfe6346e7927cce082a.tar.xz forums-7a942662d95775dc7a538bfe6346e7927cce082a.zip | |
#i41
(basically do not allow autocompletion for admin re-authentication)
git-svn-id: file:///svn/phpbb/trunk@8126 89ea8834-ac86-4346-8a33-228a782c2dd0
| -rw-r--r-- | phpBB/includes/functions.php | 44 | ||||
| -rw-r--r-- | phpBB/styles/prosilver/template/login_body.html | 8 | ||||
| -rw-r--r-- | phpBB/styles/subsilver2/template/login_body.html | 4 |
3 files changed, 46 insertions, 10 deletions
diff --git a/phpBB/includes/functions.php b/phpBB/includes/functions.php index 682c3e7a86..9412822c0a 100644 --- a/phpBB/includes/functions.php +++ b/phpBB/includes/functions.php @@ -2170,8 +2170,28 @@ function login_box($redirect = '', $l_explain = '', $l_success = '', $admin = fa if (isset($_POST['login'])) { + // Get credential + if ($admin) + { + $credential = request_var('credential', ''); + + if (strspn($credential, 'abcdef0123456789') !== strlen($credential) || strlen($credential) != 32) + { + if ($user->data['is_registered']) + { + add_log('admin', 'LOG_ADMIN_AUTH_FAIL'); + } + trigger_error('NO_AUTH_ADMIN'); + } + + $password = request_var('password_' . $credential, '', true); + } + else + { + $password = request_var('password', '', true); + } + $username = request_var('username', '', true); - $password = request_var('password', '', true); $autologin = (!empty($_POST['autologin'])) ? true : false; $viewonline = (!empty($_POST['viewonline'])) ? 0 : 1; $admin = ($admin) ? 1 : 0; @@ -2310,7 +2330,20 @@ function login_box($redirect = '', $l_explain = '', $l_success = '', $admin = fa $redirect .= $user->page['page_name'] . (($user->page['query_string']) ? '?' . htmlspecialchars($user->page['query_string']) : ''); } - $s_hidden_fields = build_hidden_fields(array('redirect' => $redirect, 'sid' => $user->session_id)); + // Assign credential for username/password pair + $credential = ($admin) ? md5(unique_id()) : false; + + $s_hidden_fields = array( + 'redirect' => $redirect, + 'sid' => $user->session_id, + ); + + if ($admin) + { + $s_hidden_fields['credential'] = $credential; + } + + $s_hidden_fields = build_hidden_fields($s_hidden_fields); $template->assign_vars(array( 'LOGIN_ERROR' => $err, @@ -2326,8 +2359,11 @@ function login_box($redirect = '', $l_explain = '', $l_success = '', $admin = fa 'S_HIDDEN_FIELDS' => $s_hidden_fields, 'S_ADMIN_AUTH' => $admin, - 'USERNAME' => ($admin) ? $user->data['username'] : '') - ); + 'USERNAME' => ($admin) ? $user->data['username'] : '', + + 'USERNAME_CREDENTIAL' => 'username', + 'PASSWORD_CREDENTIAL' => ($admin) ? 'password_' . $credential : 'password', + )); page_header($user->lang['LOGIN']); diff --git a/phpBB/styles/prosilver/template/login_body.html b/phpBB/styles/prosilver/template/login_body.html index f928f24fd1..f1837c5193 100644 --- a/phpBB/styles/prosilver/template/login_body.html +++ b/phpBB/styles/prosilver/template/login_body.html @@ -11,12 +11,12 @@ <fieldset <!-- IF not S_CONFIRM_CODE -->class="fields1"<!-- ELSE -->class="fields2"<!-- ENDIF -->> <!-- IF LOGIN_ERROR --><div class="error">{LOGIN_ERROR}</div><!-- ENDIF --> <dl> - <dt><label for="username">{L_USERNAME}:</label></dt> - <dd><input type="text" tabindex="1" name="username" id="username" size="25" value="{USERNAME}" class="inputbox autowidth" /></dd> + <dt><label for="{USERNAME_CREDENTIAL}">{L_USERNAME}:</label></dt> + <dd><input type="text" tabindex="1" name="{USERNAME_CREDENTIAL}" id="{USERNAME_CREDENTIAL}" size="25" value="{USERNAME}" class="inputbox autowidth" /></dd> </dl> <dl> - <dt><label for="password">{L_PASSWORD}:</label></dt> - <dd><input type="password" tabindex="2" id="password" name="password" size="25" class="inputbox autowidth" /></dd> + <dt><label for="{PASSWORD_CREDENTIAL}">{L_PASSWORD}:</label></dt> + <dd><input type="password" tabindex="2" id="{PASSWORD_CREDENTIAL}" name="{PASSWORD_CREDENTIAL}" size="25" class="inputbox autowidth" /></dd> <!-- IF S_DISPLAY_FULL_LOGIN and (U_SEND_PASSWORD or U_RESEND_ACTIVATION) --> <!-- IF U_SEND_PASSWORD --><dd><a href="{U_SEND_PASSWORD}">{L_FORGOT_PASS}</a></dd><!-- ENDIF --> <!-- IF U_RESEND_ACTIVATION --><dd><a href="{U_RESEND_ACTIVATION}">{L_RESEND_ACTIVATION}</a></dd><!-- ENDIF --> diff --git a/phpBB/styles/subsilver2/template/login_body.html b/phpBB/styles/subsilver2/template/login_body.html index bc66ece6d4..d88eb6cb1b 100644 --- a/phpBB/styles/subsilver2/template/login_body.html +++ b/phpBB/styles/subsilver2/template/login_body.html @@ -35,7 +35,7 @@ <tr> <td valign="top" <!-- IF S_ADMIN_AUTH -->style="width: 50%; text-align: {S_CONTENT_FLOW_END};"<!-- ENDIF -->><b class="gensmall">{L_USERNAME}:</b></td> - <td><input class="post" type="text" name="username" size="25" value="{USERNAME}" tabindex="1" /> + <td><input class="post" type="text" name="{USERNAME_CREDENTIAL}" size="25" value="{USERNAME}" tabindex="1" /> <!-- IF not S_ADMIN_AUTH --> <br /><a class="gensmall" href="{U_REGISTER}">{L_REGISTER}</a> <!-- ENDIF --> @@ -44,7 +44,7 @@ <tr> <td valign="top" <!-- IF S_ADMIN_AUTH -->style="width: 50%; text-align: {S_CONTENT_FLOW_END};"<!-- ENDIF -->><b class="gensmall">{L_PASSWORD}:</b></td> <td> - <input class="post" type="password" name="password" size="25" tabindex="2" /> + <input class="post" type="password" name="{PASSWORD_CREDENTIAL}" size="25" tabindex="2" /> <!-- IF U_SEND_PASSWORD --><br /><a class="gensmall" href="{U_SEND_PASSWORD}">{L_FORGOT_PASS}</a><!-- ENDIF --> <!-- IF U_RESEND_ACTIVATION and not S_ADMIN_AUTH --><br /><a class="gensmall" href="{U_RESEND_ACTIVATION}">{L_RESEND_ACTIVATION}</a><!-- ENDIF --> </td> |