Merge remote-tracking branch 'upstream/develop' into feature/prune-users

* upstream/develop: (2171 commits) [ticket/11164] Update composer.phar [ticket/10933] Use inheritDoc, eliminate copy pasted docblocks. [ticket/10933] Dependency inject template context. [ticket/10933] Expanded prose documentation for phpbb_extension_provider. [ticket/10933] Specify empty template path for absolute includephp test. [ticket/10933] Useful documentation for template locate function [ticket/10933] Typo fixes [ticket/10933] Initialize template context when template is constructed. [ticket/11099] Mark acp_ban::display_ban_options() as static. [ticket/11158] Require acl_u_sig for ucp signature module. [ticket/11158] Revert old fix in PHPBB3-10186. [ticket/11159] static public is the currently approved order. [ticket/11157] static public is the currently approved order. [ticket/11157] Fix remaining captcha spam. [ticket/11157] get_captcha_types is an instance method. [ticket/11156] Delete "Misc" tab of forum based permissions + move items [ticket/10848] Move include up. [ticket/11014] Fix old pagination assignment [ticket/11018] Fix several paginations in ACP [ticket/11014] Fix IF statements for new template pagination ... Conflicts: phpBB/includes/functions_user.php
author: Oleg Pudeyev <oleg@bsdpower.com> 2012-11-06 11:11:27 -0500
committer: Oleg Pudeyev <oleg@bsdpower.com> 2012-11-06 11:11:27 -0500
commit: 87ea50948ea53c0d1beab5b44badebeae4292d1a (patch)
tree: dbc99fde4dfc62b84bae60c7e4ab5c02ddbe8a3c /phpBB/includes/auth/auth_db.php
parent: 5b48df41685da785b082612318ebe7a8012c4149 (diff)
parent: 44ff9d020fd218cbdb2f07a0d7f85a630367e3c2 (diff)
download: forums-87ea50948ea53c0d1beab5b44badebeae4292d1a.tar
forums-87ea50948ea53c0d1beab5b44badebeae4292d1a.tar.gz
forums-87ea50948ea53c0d1beab5b44badebeae4292d1a.tar.bz2
forums-87ea50948ea53c0d1beab5b44badebeae4292d1a.tar.xz
forums-87ea50948ea53c0d1beab5b44badebeae4292d1a.zip
1 files changed, 75 insertions, 6 deletions
diff --git a/phpBB/includes/auth/auth_db.php b/phpBB/includes/auth/auth_db.php
index 6304d6e49a..ac944532a5 100644
--- a/phpBB/includes/auth/auth_db.php
+++ b/phpBB/includes/auth/auth_db.php
@@ -7,9 +7,8 @@
 * This is for authentication via the integrated user table
 *
 * @package login
-* @version $Id$
 * @copyright (c) 2005 phpBB Group
-* @license http://opensource.org/licenses/gpl-license.php GNU Public License
+* @license http://opensource.org/licenses/gpl-2.0.php GNU General Public License v2
 *
 */
 
@@ -23,12 +22,29 @@ if (!defined('IN_PHPBB'))
 
 /**
 * Login function
+*
+* @param string $username
+* @param string $password
+* @param string $ip			IP address the login is taking place from. Used to
+*							limit the number of login attempts per IP address.
+* @param string $browser	The user agent used to login
+* @param string $forwarded_for X_FORWARDED_FOR header sent with login request
+* @return array				A associative array of the format
+*							array(
+*								'status' => status constant
+*								'error_msg' => string
+*								'user_row' => array
+*							)
 */
-function login_db(&$username, &$password)
+function login_db($username, $password, $ip = '', $browser = '', $forwarded_for = '')
 {
 	global $db, $config;
 	global $request;
 
+	// Auth plugins get the password untrimmed.
+	// For compatibility we trim() here.
+	$password = trim($password);
+
 	// do not allow empty password
 	if (!$password)
 	{
@@ -48,22 +64,71 @@ function login_db(&$username, &$password)
 		);
 	}
 
+	$username_clean = utf8_clean_string($username);
+
 	$sql = 'SELECT user_id, username, user_password, user_passchg, user_pass_convert, user_email, user_type, user_login_attempts
 		FROM ' . USERS_TABLE . "
-		WHERE username_clean = '" . $db->sql_escape(utf8_clean_string($username)) . "'";
+		WHERE username_clean = '" . $db->sql_escape($username_clean) . "'";
 	$result = $db->sql_query($sql);
 	$row = $db->sql_fetchrow($result);
 	$db->sql_freeresult($result);
 
+	if (($ip && !$config['ip_login_limit_use_forwarded']) ||
+		($forwarded_for && $config['ip_login_limit_use_forwarded']))
+	{
+		$sql = 'SELECT COUNT(*) AS attempts
+			FROM ' . LOGIN_ATTEMPT_TABLE . '
+			WHERE attempt_time > ' . (time() - (int) $config['ip_login_limit_time']);
+		if ($config['ip_login_limit_use_forwarded'])
+		{
+			$sql .= " AND attempt_forwarded_for = '" . $db->sql_escape($forwarded_for) . "'";
+		}
+		else
+		{
+			$sql .= " AND attempt_ip = '" . $db->sql_escape($ip) . "' ";
+		}
+
+		$result = $db->sql_query($sql);
+		$attempts = (int) $db->sql_fetchfield('attempts');
+		$db->sql_freeresult($result);
+
+		$attempt_data = array(
+			'attempt_ip'			=> $ip,
+			'attempt_browser'		=> trim(substr($browser, 0, 149)),
+			'attempt_forwarded_for'	=> $forwarded_for,
+			'attempt_time'			=> time(),
+			'user_id'				=> ($row) ? (int) $row['user_id'] : 0,
+			'username'				=> $username,
+			'username_clean'		=> $username_clean,
+		);
+		$sql = 'INSERT INTO ' . LOGIN_ATTEMPT_TABLE . $db->sql_build_array('INSERT', $attempt_data);
+		$result = $db->sql_query($sql);
+	}
+	else
+	{
+		$attempts = 0;
+	}
+
 	if (!$row)
 	{
+		if ($config['ip_login_limit_max'] && $attempts >= $config['ip_login_limit_max'])
+		{
+			return array(
+				'status'		=> LOGIN_ERROR_ATTEMPTS,
+				'error_msg'		=> 'LOGIN_ERROR_ATTEMPTS',
+				'user_row'		=> array('user_id' => ANONYMOUS),
+			);
+		}
+
 		return array(
 			'status'	=> LOGIN_ERROR_USERNAME,
 			'error_msg'	=> 'LOGIN_ERROR_USERNAME',
 			'user_row'	=> array('user_id' => ANONYMOUS),
 		);
 	}
-	$show_captcha = $config['max_login_attempts'] && $row['user_login_attempts'] >= $config['max_login_attempts'];
+
+	$show_captcha = ($config['max_login_attempts'] && $row['user_login_attempts'] >= $config['max_login_attempts']) ||
+		($config['ip_login_limit_max'] && $attempts >= $config['ip_login_limit_max']);
 
 	// If there are too much login attempts, we need to check for an confirm image
 	// Every auth module is able to define what to do by itself...
@@ -76,7 +141,7 @@ function login_db(&$username, &$password)
 			include ($phpbb_root_path . 'includes/captcha/captcha_factory.' . $phpEx);
 		}
 
-		$captcha =& phpbb_captcha_factory::get_instance($config['captcha_plugin']);
+		$captcha = phpbb_captcha_factory::get_instance($config['captcha_plugin']);
 		$captcha->init(CONFIRM_LOGIN);
 		$vc_response = $captcha->validate($row);
 		if ($vc_response)
@@ -177,6 +242,10 @@ function login_db(&$username, &$password)
 			$row['user_password'] = $hash;
 		}
 
+		$sql = 'DELETE FROM ' . LOGIN_ATTEMPT_TABLE . '
+			WHERE user_id = ' . $row['user_id'];
+		$db->sql_query($sql);
+
 		if ($row['user_login_attempts'] != 0)
 		{
 			// Successful, reset login attempts (the user passed all stages)
author	Oleg Pudeyev <oleg@bsdpower.com>	2012-11-06 11:11:27 -0500
committer	Oleg Pudeyev <oleg@bsdpower.com>	2012-11-06 11:11:27 -0500
commit	87ea50948ea53c0d1beab5b44badebeae4292d1a (patch)
tree	dbc99fde4dfc62b84bae60c7e4ab5c02ddbe8a3c /phpBB/includes/auth/auth_db.php
parent	5b48df41685da785b082612318ebe7a8012c4149 (diff)
parent	44ff9d020fd218cbdb2f07a0d7f85a630367e3c2 (diff)
download	forums-87ea50948ea53c0d1beab5b44badebeae4292d1a.tar forums-87ea50948ea53c0d1beab5b44badebeae4292d1a.tar.gz forums-87ea50948ea53c0d1beab5b44badebeae4292d1a.tar.bz2 forums-87ea50948ea53c0d1beab5b44badebeae4292d1a.tar.xz forums-87ea50948ea53c0d1beab5b44badebeae4292d1a.zip