diff options
| author | Meik Sievertsen <acydburn@phpbb.com> | 2007-10-03 17:47:58 +0000 |
|---|---|---|
| committer | Meik Sievertsen <acydburn@phpbb.com> | 2007-10-03 17:47:58 +0000 |
| commit | 7a942662d95775dc7a538bfe6346e7927cce082a (patch) | |
| tree | a0c43447fe8ffe7f5ee6190afb81b002460d61ee /phpBB/includes | |
| parent | cfe004f2a28fbfcd194f73d2e4abf146fcf87ac9 (diff) | |
| download | forums-7a942662d95775dc7a538bfe6346e7927cce082a.tar forums-7a942662d95775dc7a538bfe6346e7927cce082a.tar.gz forums-7a942662d95775dc7a538bfe6346e7927cce082a.tar.bz2 forums-7a942662d95775dc7a538bfe6346e7927cce082a.tar.xz forums-7a942662d95775dc7a538bfe6346e7927cce082a.zip | |
#i41
(basically do not allow autocompletion for admin re-authentication)
git-svn-id: file:///svn/phpbb/trunk@8126 89ea8834-ac86-4346-8a33-228a782c2dd0
Diffstat (limited to 'phpBB/includes')
| -rw-r--r-- | phpBB/includes/functions.php | 44 |
1 files changed, 40 insertions, 4 deletions
diff --git a/phpBB/includes/functions.php b/phpBB/includes/functions.php index 682c3e7a86..9412822c0a 100644 --- a/phpBB/includes/functions.php +++ b/phpBB/includes/functions.php @@ -2170,8 +2170,28 @@ function login_box($redirect = '', $l_explain = '', $l_success = '', $admin = fa if (isset($_POST['login'])) { + // Get credential + if ($admin) + { + $credential = request_var('credential', ''); + + if (strspn($credential, 'abcdef0123456789') !== strlen($credential) || strlen($credential) != 32) + { + if ($user->data['is_registered']) + { + add_log('admin', 'LOG_ADMIN_AUTH_FAIL'); + } + trigger_error('NO_AUTH_ADMIN'); + } + + $password = request_var('password_' . $credential, '', true); + } + else + { + $password = request_var('password', '', true); + } + $username = request_var('username', '', true); - $password = request_var('password', '', true); $autologin = (!empty($_POST['autologin'])) ? true : false; $viewonline = (!empty($_POST['viewonline'])) ? 0 : 1; $admin = ($admin) ? 1 : 0; @@ -2310,7 +2330,20 @@ function login_box($redirect = '', $l_explain = '', $l_success = '', $admin = fa $redirect .= $user->page['page_name'] . (($user->page['query_string']) ? '?' . htmlspecialchars($user->page['query_string']) : ''); } - $s_hidden_fields = build_hidden_fields(array('redirect' => $redirect, 'sid' => $user->session_id)); + // Assign credential for username/password pair + $credential = ($admin) ? md5(unique_id()) : false; + + $s_hidden_fields = array( + 'redirect' => $redirect, + 'sid' => $user->session_id, + ); + + if ($admin) + { + $s_hidden_fields['credential'] = $credential; + } + + $s_hidden_fields = build_hidden_fields($s_hidden_fields); $template->assign_vars(array( 'LOGIN_ERROR' => $err, @@ -2326,8 +2359,11 @@ function login_box($redirect = '', $l_explain = '', $l_success = '', $admin = fa 'S_HIDDEN_FIELDS' => $s_hidden_fields, 'S_ADMIN_AUTH' => $admin, - 'USERNAME' => ($admin) ? $user->data['username'] : '') - ); + 'USERNAME' => ($admin) ? $user->data['username'] : '', + + 'USERNAME_CREDENTIAL' => 'username', + 'PASSWORD_CREDENTIAL' => ($admin) ? 'password_' . $credential : 'password', + )); page_header($user->lang['LOGIN']); |