From b776d02682492077a4fafd8835d7c4a17e50762d Mon Sep 17 00:00:00 2001 From: Henry Sudhof Date: Tue, 2 Jun 2009 14:12:23 +0000 Subject: Okay, a first ci of the new captcha plugins. We'll add dynamic template includes later, as well as documentation on how to use this. I'm prepared to get yelled at for bugs (oh, I know that there are plenty); but please blame spammers for broken styles and MODs. git-svn-id: file:///svn/phpbb/branches/phpBB-3_0_0@9524 89ea8834-ac86-4346-8a33-228a782c2dd0 --- phpBB/includes/auth/auth_db.php | 39 ++++++--------------------------------- 1 file changed, 6 insertions(+), 33 deletions(-) (limited to 'phpBB/includes/auth') diff --git a/phpBB/includes/auth/auth_db.php b/phpBB/includes/auth/auth_db.php index 24d4c56614..bdafefa70b 100644 --- a/phpBB/includes/auth/auth_db.php +++ b/phpBB/includes/auth/auth_db.php @@ -81,42 +81,15 @@ function login_db(&$username, &$password) } else { - global $user; - - $sql = 'SELECT code - FROM ' . CONFIRM_TABLE . " - WHERE confirm_id = '" . $db->sql_escape($confirm_id) . "' - AND session_id = '" . $db->sql_escape($user->session_id) . "' - AND confirm_type = " . CONFIRM_LOGIN; - $result = $db->sql_query($sql); - $confirm_row = $db->sql_fetchrow($result); - $db->sql_freeresult($result); - - if ($confirm_row) + $captcha = phpbb_captcha_factory::get_instance($config['captcha_plugin']); + $captcha->init(CONFIRM_LOGIN); + $vc_response = $captcha->validate(); + if ($vc_response) { - if (strcasecmp($confirm_row['code'], $confirm_code) === 0) - { - $sql = 'DELETE FROM ' . CONFIRM_TABLE . " - WHERE confirm_id = '" . $db->sql_escape($confirm_id) . "' - AND session_id = '" . $db->sql_escape($user->session_id) . "' - AND confirm_type = " . CONFIRM_LOGIN; - $db->sql_query($sql); - } - else - { - return array( + return array( 'status' => LOGIN_ERROR_ATTEMPTS, - 'error_msg' => 'CONFIRM_CODE_WRONG', + 'error_msg' => 'LOGIN_ERROR_ATTEMPTS', 'user_row' => $row, - ); - } - } - else - { - return array( - 'status' => LOGIN_ERROR_ATTEMPTS, - 'error_msg' => 'CONFIRM_CODE_WRONG', - 'user_row' => $row, ); } } -- cgit v1.2.1 From a539fca62b10f53a5f5dadf07f9ab07340fdabf9 Mon Sep 17 00:00:00 2001 From: Meik Sievertsen Date: Sun, 7 Jun 2009 11:34:01 +0000 Subject: some corrections, only very minor things. git-svn-id: file:///svn/phpbb/branches/phpBB-3_0_0@9554 89ea8834-ac86-4346-8a33-228a782c2dd0 --- phpBB/includes/auth/auth_db.php | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) (limited to 'phpBB/includes/auth') diff --git a/phpBB/includes/auth/auth_db.php b/phpBB/includes/auth/auth_db.php index bdafefa70b..f798264ada 100644 --- a/phpBB/includes/auth/auth_db.php +++ b/phpBB/includes/auth/auth_db.php @@ -68,7 +68,6 @@ function login_db(&$username, &$password) if ($config['max_login_attempts'] && $row['user_login_attempts'] >= $config['max_login_attempts']) { $confirm_id = request_var('confirm_id', ''); - $confirm_code = request_var('confirm_code', ''); // Visual Confirmation handling if (!$confirm_id) @@ -84,12 +83,13 @@ function login_db(&$username, &$password) $captcha = phpbb_captcha_factory::get_instance($config['captcha_plugin']); $captcha->init(CONFIRM_LOGIN); $vc_response = $captcha->validate(); + if ($vc_response) { return array( - 'status' => LOGIN_ERROR_ATTEMPTS, - 'error_msg' => 'LOGIN_ERROR_ATTEMPTS', - 'user_row' => $row, + 'status' => LOGIN_ERROR_ATTEMPTS, + 'error_msg' => 'LOGIN_ERROR_ATTEMPTS', + 'user_row' => $row, ); } } @@ -130,7 +130,7 @@ function login_db(&$username, &$password) $row['user_pass_convert'] = 0; $row['user_password'] = $hash; } - else + else { // Although we weren't able to convert this password we have to // increase login attempt count to make sure this cannot be exploited -- cgit v1.2.1 From 11dc41063313d62b100c16bceb289b12c7c3bf2b Mon Sep 17 00:00:00 2001 From: Henry Sudhof Date: Sat, 13 Jun 2009 14:09:51 +0000 Subject: Oh right. PHP4 git-svn-id: file:///svn/phpbb/branches/phpBB-3_0_0@9581 89ea8834-ac86-4346-8a33-228a782c2dd0 --- phpBB/includes/auth/auth_db.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'phpBB/includes/auth') diff --git a/phpBB/includes/auth/auth_db.php b/phpBB/includes/auth/auth_db.php index f798264ada..5dc141ff77 100644 --- a/phpBB/includes/auth/auth_db.php +++ b/phpBB/includes/auth/auth_db.php @@ -80,7 +80,7 @@ function login_db(&$username, &$password) } else { - $captcha = phpbb_captcha_factory::get_instance($config['captcha_plugin']); + $captcha =& phpbb_captcha_factory::get_instance($config['captcha_plugin']); $captcha->init(CONFIRM_LOGIN); $vc_response = $captcha->validate(); -- cgit v1.2.1 From 433de350c0fa2e1e09c23e6f5f29f118222d2df8 Mon Sep 17 00:00:00 2001 From: Meik Sievertsen Date: Sat, 20 Jun 2009 18:45:16 +0000 Subject: - [Feature] New "Newly Registered Users" group for assigning permissions to newly registered users. They will be removed from this group once they reach a defineable amount of posts. - [Feature] Ability to define if the "Newly Registered Users" group will be assigned as the default group to newly registered users. As a coincidence also Bug #46535 got fixed. Additionally the error message displayed with trigger_error() if accessing the private message tab in the ucp is now displayed inline in addition to a slightly different message for newly registered users to let them know that access permissions may be lifted over time. git-svn-id: file:///svn/phpbb/branches/phpBB-3_0_0@9636 89ea8834-ac86-4346-8a33-228a782c2dd0 --- phpBB/includes/auth/auth_apache.php | 1 + phpBB/includes/auth/auth_ldap.php | 1 + 2 files changed, 2 insertions(+) (limited to 'phpBB/includes/auth') diff --git a/phpBB/includes/auth/auth_apache.php b/phpBB/includes/auth/auth_apache.php index 930f5a0632..391e7abb0e 100644 --- a/phpBB/includes/auth/auth_apache.php +++ b/phpBB/includes/auth/auth_apache.php @@ -217,6 +217,7 @@ function user_row_apache($username, $password) 'group_id' => (int) $row['group_id'], 'user_type' => USER_NORMAL, 'user_ip' => $user->ip, + 'user_new' => ($config['new_member_post_limit']) ? 1 : 0, ); } diff --git a/phpBB/includes/auth/auth_ldap.php b/phpBB/includes/auth/auth_ldap.php index d49662fb2d..11c62ad0bc 100644 --- a/phpBB/includes/auth/auth_ldap.php +++ b/phpBB/includes/auth/auth_ldap.php @@ -227,6 +227,7 @@ function login_ldap(&$username, &$password) 'group_id' => (int) $row['group_id'], 'user_type' => USER_NORMAL, 'user_ip' => $user->ip, + 'user_new' => ($config['new_member_post_limit']) ? 1 : 0, ); unset($ldap_result); -- cgit v1.2.1 From 5f6db9584c4b2594c437a07c0ecd60390ff39d5e Mon Sep 17 00:00:00 2001 From: Chris Smith Date: Fri, 17 Jul 2009 13:21:03 +0000 Subject: Correct escaping/unescaping in the LDAP authentication plugin. #48175 git-svn-id: file:///svn/phpbb/branches/phpBB-3_0_0@9769 89ea8834-ac86-4346-8a33-228a782c2dd0 --- phpBB/includes/auth/auth_ldap.php | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) (limited to 'phpBB/includes/auth') diff --git a/phpBB/includes/auth/auth_ldap.php b/phpBB/includes/auth/auth_ldap.php index 11c62ad0bc..b70e644b14 100644 --- a/phpBB/includes/auth/auth_ldap.php +++ b/phpBB/includes/auth/auth_ldap.php @@ -63,9 +63,11 @@ function init_ldap() // ldap_connect only checks whether the specified server is valid, so the connection might still fail $search = @ldap_search( $ldap, - $config['ldap_base_dn'], + htmlspecialchars_decode($config['ldap_base_dn']), ldap_user_filter($user->data['username']), - (empty($config['ldap_email'])) ? array($config['ldap_uid']) : array($config['ldap_uid'], $config['ldap_email']), + (empty($config['ldap_email'])) ? + array(htmlspecialchars_decode($config['ldap_uid'])) : + array(htmlspecialchars_decode($config['ldap_uid']), htmlspecialchars_decode($config['ldap_email'])), 0, 1 ); @@ -85,7 +87,7 @@ function init_ldap() return sprintf($user->lang['LDAP_NO_IDENTITY'], $user->data['username']); } - if (!empty($config['ldap_email']) && !isset($result[0][$config['ldap_email']])) + if (!empty($config['ldap_email']) && !isset($result[0][htmlspecialchars_decode($config['ldap_email'])])) { return $user->lang['LDAP_NO_EMAIL']; } @@ -152,7 +154,7 @@ function login_ldap(&$username, &$password) if ($config['ldap_user'] || $config['ldap_password']) { - if (!@ldap_bind($ldap, $config['ldap_user'], htmlspecialchars_decode($config['ldap_password']))) + if (!@ldap_bind($ldap, htmlspecialchars_decode($config['ldap_user']), htmlspecialchars_decode($config['ldap_password']))) { return $user->lang['LDAP_NO_SERVER_CONNECTION']; } @@ -160,9 +162,11 @@ function login_ldap(&$username, &$password) $search = @ldap_search( $ldap, - $config['ldap_base_dn'], + htmlspecialchars_decode($config['ldap_base_dn']), ldap_user_filter($username), - (empty($config['ldap_email'])) ? array($config['ldap_uid']) : array($config['ldap_uid'], $config['ldap_email']), + (empty($config['ldap_email'])) ? + array(htmlspecialchars_decode($config['ldap_uid'])) : + array(htmlspecialchars_decode($config['ldap_uid']), htmlspecialchars_decode($config['ldap_email'])), 0, 1 ); @@ -223,7 +227,7 @@ function login_ldap(&$username, &$password) $ldap_user_row = array( 'username' => $username, 'user_password' => phpbb_hash($password), - 'user_email' => (!empty($config['ldap_email'])) ? $ldap_result[0][$config['ldap_email']][0] : '', + 'user_email' => (!empty($config['ldap_email'])) ? utf8_htmlspecialchars($ldap_result[0][htmlspecialchars_decode($config['ldap_email'])][0]) : '', 'group_id' => (int) $row['group_id'], 'user_type' => USER_NORMAL, 'user_ip' => $user->ip, -- cgit v1.2.1 From 94e29c3c170a1fd1e6c2794090232220ecb2d5f4 Mon Sep 17 00:00:00 2001 From: Chris Smith Date: Sat, 18 Jul 2009 21:20:20 +0000 Subject: Fix #45315 git-svn-id: file:///svn/phpbb/branches/phpBB-3_0_0@9783 89ea8834-ac86-4346-8a33-228a782c2dd0 --- phpBB/includes/auth/auth_ldap.php | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'phpBB/includes/auth') diff --git a/phpBB/includes/auth/auth_ldap.php b/phpBB/includes/auth/auth_ldap.php index b70e644b14..a6092baba5 100644 --- a/phpBB/includes/auth/auth_ldap.php +++ b/phpBB/includes/auth/auth_ldap.php @@ -281,7 +281,8 @@ function ldap_user_filter($username) $filter = '(' . $config['ldap_uid'] . '=' . ldap_escape(htmlspecialchars_decode($username)) . ')'; if ($config['ldap_user_filter']) { - $filter = "(&$filter({$config['ldap_user_filter']}))"; + $_filter = ($config['ldap_user_filter'][0] == '(' && substr($config['ldap_user_filter'], -1) == ')') ? $config['ldap_user_filter'] : "({$config['ldap_user_filter']})"; + $filter = "(&{$filter}{$_filter})"; } return $filter; } -- cgit v1.2.1