From 217dc8e6d53beb62e6aa5ccaed68b86a9282d88e Mon Sep 17 00:00:00 2001 From: Meik Sievertsen Date: Fri, 14 Mar 2008 12:28:08 +0000 Subject: #22525 git-svn-id: file:///svn/phpbb/branches/phpBB-3_0_0@8432 89ea8834-ac86-4346-8a33-228a782c2dd0 --- phpBB/includes/auth/auth_apache.php | 12 +++++++++++- phpBB/includes/auth/auth_db.php | 12 +++++++++++- phpBB/includes/auth/auth_ldap.php | 12 +++++++++++- 3 files changed, 33 insertions(+), 3 deletions(-) (limited to 'phpBB/includes/auth') diff --git a/phpBB/includes/auth/auth_apache.php b/phpBB/includes/auth/auth_apache.php index ed3951dd7b..4581a1bbdb 100644 --- a/phpBB/includes/auth/auth_apache.php +++ b/phpBB/includes/auth/auth_apache.php @@ -48,8 +48,18 @@ function login_apache(&$username, &$password) if (!$password) { return array( - 'status' => LOGIN_BREAK, + 'status' => LOGIN_ERROR_PASSWORD, 'error_msg' => 'NO_PASSWORD_SUPPLIED', + 'user_row' => array('user_id' => ANONYMOUS), + ); + } + + if (!$username) + { + return array( + 'status' => LOGIN_ERROR_USERNAME, + 'error_msg' => 'LOGIN_ERROR_USERNAME', + 'user_row' => array('user_id' => ANONYMOUS), ); } diff --git a/phpBB/includes/auth/auth_db.php b/phpBB/includes/auth/auth_db.php index 432ae92d21..1a5fd9e418 100644 --- a/phpBB/includes/auth/auth_db.php +++ b/phpBB/includes/auth/auth_db.php @@ -32,8 +32,18 @@ function login_db(&$username, &$password) if (!$password) { return array( - 'status' => LOGIN_BREAK, + 'status' => LOGIN_ERROR_PASSWORD, 'error_msg' => 'NO_PASSWORD_SUPPLIED', + 'user_row' => array('user_id' => ANONYMOUS), + ); + } + + if (!$username) + { + return array( + 'status' => LOGIN_ERROR_USERNAME, + 'error_msg' => 'LOGIN_ERROR_USERNAME', + 'user_row' => array('user_id' => ANONYMOUS), ); } diff --git a/phpBB/includes/auth/auth_ldap.php b/phpBB/includes/auth/auth_ldap.php index 472927ace3..d49662fb2d 100644 --- a/phpBB/includes/auth/auth_ldap.php +++ b/phpBB/includes/auth/auth_ldap.php @@ -104,8 +104,18 @@ function login_ldap(&$username, &$password) if (!$password) { return array( - 'status' => LOGIN_BREAK, + 'status' => LOGIN_ERROR_PASSWORD, 'error_msg' => 'NO_PASSWORD_SUPPLIED', + 'user_row' => array('user_id' => ANONYMOUS), + ); + } + + if (!$username) + { + return array( + 'status' => LOGIN_ERROR_USERNAME, + 'error_msg' => 'LOGIN_ERROR_USERNAME', + 'user_row' => array('user_id' => ANONYMOUS), ); } -- cgit v1.2.1 From fe80d95e8da99242d98b689840d93ed749de67fb Mon Sep 17 00:00:00 2001 From: Nils Adermann Date: Wed, 4 Jun 2008 16:05:27 +0000 Subject: HTTP Authentication supports UTF-8 usernames now [Bug #21135] git-svn-id: file:///svn/phpbb/branches/phpBB-3_0_0@8602 89ea8834-ac86-4346-8a33-228a782c2dd0 --- phpBB/includes/auth/auth_apache.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'phpBB/includes/auth') diff --git a/phpBB/includes/auth/auth_apache.php b/phpBB/includes/auth/auth_apache.php index 4581a1bbdb..80ac81ed46 100644 --- a/phpBB/includes/auth/auth_apache.php +++ b/phpBB/includes/auth/auth_apache.php @@ -148,8 +148,8 @@ function autologin_apache() if (!empty($php_auth_user) && !empty($php_auth_pw)) { - set_var($php_auth_user, $php_auth_user, 'string'); - set_var($php_auth_pw, $php_auth_pw, 'string'); + set_var($php_auth_user, $php_auth_user, 'string', true); + set_var($php_auth_pw, $php_auth_pw, 'string', true); $sql = 'SELECT * FROM ' . USERS_TABLE . " @@ -233,7 +233,7 @@ function validate_session_apache(&$user) } $php_auth_user = ''; - set_var($php_auth_user, $_SERVER['PHP_AUTH_USER'], 'string'); + set_var($php_auth_user, $_SERVER['PHP_AUTH_USER'], 'string', true); return ($php_auth_user === $user['username']) ? true : false; } -- cgit v1.2.1 From 26b69ccafe7df8c9e12d929f4f8a0635975b0cdb Mon Sep 17 00:00:00 2001 From: Meik Sievertsen Date: Tue, 27 Jan 2009 09:23:54 +0000 Subject: Fix guest/bot session problems with apache authentication plugin (Bug #41085) git-svn-id: file:///svn/phpbb/branches/phpBB-3_0_0@9306 89ea8834-ac86-4346-8a33-228a782c2dd0 --- phpBB/includes/auth/auth_apache.php | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) (limited to 'phpBB/includes/auth') diff --git a/phpBB/includes/auth/auth_apache.php b/phpBB/includes/auth/auth_apache.php index 80ac81ed46..f6d5f418d0 100644 --- a/phpBB/includes/auth/auth_apache.php +++ b/phpBB/includes/auth/auth_apache.php @@ -104,7 +104,7 @@ function login_apache(&$username, &$password) 'user_row' => $row, ); } - + // Successful login... return array( 'status' => LOGIN_SUCCESS, @@ -227,6 +227,18 @@ function user_row_apache($username, $password) */ function validate_session_apache(&$user) { + // We only need to check authenticated users. For anonymous user as well as bots the session of course did not expire. + if ($user['user_id'] == ANONYMOUS) + { + return true; + } + + // Checking for a bot is a bit mroe complicated... but we are able to check this with the user type (anonymous has the same as bots) + if ($user['user_type'] == USER_IGNORE) + { + return true; + } + if (!isset($_SERVER['PHP_AUTH_USER'])) { return false; -- cgit v1.2.1 From f0efebefd5d808e596334b056818319f46a43615 Mon Sep 17 00:00:00 2001 From: Meik Sievertsen Date: Thu, 29 Jan 2009 13:08:44 +0000 Subject: better fix for bug #41085 git-svn-id: file:///svn/phpbb/branches/phpBB-3_0_0@9311 89ea8834-ac86-4346-8a33-228a782c2dd0 --- phpBB/includes/auth/auth_apache.php | 21 ++++++++------------- 1 file changed, 8 insertions(+), 13 deletions(-) (limited to 'phpBB/includes/auth') diff --git a/phpBB/includes/auth/auth_apache.php b/phpBB/includes/auth/auth_apache.php index f6d5f418d0..930f5a0632 100644 --- a/phpBB/includes/auth/auth_apache.php +++ b/phpBB/includes/auth/auth_apache.php @@ -227,27 +227,22 @@ function user_row_apache($username, $password) */ function validate_session_apache(&$user) { - // We only need to check authenticated users. For anonymous user as well as bots the session of course did not expire. - if ($user['user_id'] == ANONYMOUS) + // Check if PHP_AUTH_USER is set and handle this case + if (isset($_SERVER['PHP_AUTH_USER'])) { - return true; + $php_auth_user = ''; + set_var($php_auth_user, $_SERVER['PHP_AUTH_USER'], 'string', true); + + return ($php_auth_user === $user['username']) ? true : false; } - // Checking for a bot is a bit mroe complicated... but we are able to check this with the user type (anonymous has the same as bots) + // PHP_AUTH_USER is not set. A valid session is now determined by the user type (anonymous/bot or not) if ($user['user_type'] == USER_IGNORE) { return true; } - if (!isset($_SERVER['PHP_AUTH_USER'])) - { - return false; - } - - $php_auth_user = ''; - set_var($php_auth_user, $_SERVER['PHP_AUTH_USER'], 'string', true); - - return ($php_auth_user === $user['username']) ? true : false; + return false; } ?> \ No newline at end of file -- cgit v1.2.1 From e5f0824e4b1f4215c0126edccc162aa1a7c6787d Mon Sep 17 00:00:00 2001 From: Henry Sudhof Date: Fri, 6 Feb 2009 14:51:26 +0000 Subject: As proposed by marshalrusty: re-hash plain MD5s left in the database git-svn-id: file:///svn/phpbb/branches/phpBB-3_0_0@9312 89ea8834-ac86-4346-8a33-228a782c2dd0 --- phpBB/includes/auth/auth_db.php | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'phpBB/includes/auth') diff --git a/phpBB/includes/auth/auth_db.php b/phpBB/includes/auth/auth_db.php index 1a5fd9e418..24d4c56614 100644 --- a/phpBB/includes/auth/auth_db.php +++ b/phpBB/includes/auth/auth_db.php @@ -141,7 +141,9 @@ function login_db(&$username, &$password) } // cp1252 is phpBB2's default encoding, characters outside ASCII range might work when converted into that encoding - if (md5($password_old_format) == $row['user_password'] || md5(utf8_to_cp1252($password_old_format)) == $row['user_password']) + // plain md5 support left in for conversions from other systems. + if ((strlen($row['user_password']) == 34 && (phpbb_check_hash(md5($password_old_format), $row['user_password']) || phpbb_check_hash(md5(utf8_to_cp1252($password_old_format)), $row['user_password']))) + || (strlen($row['user_password']) == 32 && (md5($password_old_format) == $row['user_password'] || md5(utf8_to_cp1252($password_old_format)) == $row['user_password']))) { $hash = phpbb_hash($password_new_format); @@ -155,7 +157,7 @@ function login_db(&$username, &$password) $row['user_pass_convert'] = 0; $row['user_password'] = $hash; } - else + else { // Although we weren't able to convert this password we have to // increase login attempt count to make sure this cannot be exploited -- cgit v1.2.1 From b776d02682492077a4fafd8835d7c4a17e50762d Mon Sep 17 00:00:00 2001 From: Henry Sudhof Date: Tue, 2 Jun 2009 14:12:23 +0000 Subject: Okay, a first ci of the new captcha plugins. We'll add dynamic template includes later, as well as documentation on how to use this. I'm prepared to get yelled at for bugs (oh, I know that there are plenty); but please blame spammers for broken styles and MODs. git-svn-id: file:///svn/phpbb/branches/phpBB-3_0_0@9524 89ea8834-ac86-4346-8a33-228a782c2dd0 --- phpBB/includes/auth/auth_db.php | 39 ++++++--------------------------------- 1 file changed, 6 insertions(+), 33 deletions(-) (limited to 'phpBB/includes/auth') diff --git a/phpBB/includes/auth/auth_db.php b/phpBB/includes/auth/auth_db.php index 24d4c56614..bdafefa70b 100644 --- a/phpBB/includes/auth/auth_db.php +++ b/phpBB/includes/auth/auth_db.php @@ -81,42 +81,15 @@ function login_db(&$username, &$password) } else { - global $user; - - $sql = 'SELECT code - FROM ' . CONFIRM_TABLE . " - WHERE confirm_id = '" . $db->sql_escape($confirm_id) . "' - AND session_id = '" . $db->sql_escape($user->session_id) . "' - AND confirm_type = " . CONFIRM_LOGIN; - $result = $db->sql_query($sql); - $confirm_row = $db->sql_fetchrow($result); - $db->sql_freeresult($result); - - if ($confirm_row) + $captcha = phpbb_captcha_factory::get_instance($config['captcha_plugin']); + $captcha->init(CONFIRM_LOGIN); + $vc_response = $captcha->validate(); + if ($vc_response) { - if (strcasecmp($confirm_row['code'], $confirm_code) === 0) - { - $sql = 'DELETE FROM ' . CONFIRM_TABLE . " - WHERE confirm_id = '" . $db->sql_escape($confirm_id) . "' - AND session_id = '" . $db->sql_escape($user->session_id) . "' - AND confirm_type = " . CONFIRM_LOGIN; - $db->sql_query($sql); - } - else - { - return array( + return array( 'status' => LOGIN_ERROR_ATTEMPTS, - 'error_msg' => 'CONFIRM_CODE_WRONG', + 'error_msg' => 'LOGIN_ERROR_ATTEMPTS', 'user_row' => $row, - ); - } - } - else - { - return array( - 'status' => LOGIN_ERROR_ATTEMPTS, - 'error_msg' => 'CONFIRM_CODE_WRONG', - 'user_row' => $row, ); } } -- cgit v1.2.1 From a539fca62b10f53a5f5dadf07f9ab07340fdabf9 Mon Sep 17 00:00:00 2001 From: Meik Sievertsen Date: Sun, 7 Jun 2009 11:34:01 +0000 Subject: some corrections, only very minor things. git-svn-id: file:///svn/phpbb/branches/phpBB-3_0_0@9554 89ea8834-ac86-4346-8a33-228a782c2dd0 --- phpBB/includes/auth/auth_db.php | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) (limited to 'phpBB/includes/auth') diff --git a/phpBB/includes/auth/auth_db.php b/phpBB/includes/auth/auth_db.php index bdafefa70b..f798264ada 100644 --- a/phpBB/includes/auth/auth_db.php +++ b/phpBB/includes/auth/auth_db.php @@ -68,7 +68,6 @@ function login_db(&$username, &$password) if ($config['max_login_attempts'] && $row['user_login_attempts'] >= $config['max_login_attempts']) { $confirm_id = request_var('confirm_id', ''); - $confirm_code = request_var('confirm_code', ''); // Visual Confirmation handling if (!$confirm_id) @@ -84,12 +83,13 @@ function login_db(&$username, &$password) $captcha = phpbb_captcha_factory::get_instance($config['captcha_plugin']); $captcha->init(CONFIRM_LOGIN); $vc_response = $captcha->validate(); + if ($vc_response) { return array( - 'status' => LOGIN_ERROR_ATTEMPTS, - 'error_msg' => 'LOGIN_ERROR_ATTEMPTS', - 'user_row' => $row, + 'status' => LOGIN_ERROR_ATTEMPTS, + 'error_msg' => 'LOGIN_ERROR_ATTEMPTS', + 'user_row' => $row, ); } } @@ -130,7 +130,7 @@ function login_db(&$username, &$password) $row['user_pass_convert'] = 0; $row['user_password'] = $hash; } - else + else { // Although we weren't able to convert this password we have to // increase login attempt count to make sure this cannot be exploited -- cgit v1.2.1 From 11dc41063313d62b100c16bceb289b12c7c3bf2b Mon Sep 17 00:00:00 2001 From: Henry Sudhof Date: Sat, 13 Jun 2009 14:09:51 +0000 Subject: Oh right. PHP4 git-svn-id: file:///svn/phpbb/branches/phpBB-3_0_0@9581 89ea8834-ac86-4346-8a33-228a782c2dd0 --- phpBB/includes/auth/auth_db.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'phpBB/includes/auth') diff --git a/phpBB/includes/auth/auth_db.php b/phpBB/includes/auth/auth_db.php index f798264ada..5dc141ff77 100644 --- a/phpBB/includes/auth/auth_db.php +++ b/phpBB/includes/auth/auth_db.php @@ -80,7 +80,7 @@ function login_db(&$username, &$password) } else { - $captcha = phpbb_captcha_factory::get_instance($config['captcha_plugin']); + $captcha =& phpbb_captcha_factory::get_instance($config['captcha_plugin']); $captcha->init(CONFIRM_LOGIN); $vc_response = $captcha->validate(); -- cgit v1.2.1 From 433de350c0fa2e1e09c23e6f5f29f118222d2df8 Mon Sep 17 00:00:00 2001 From: Meik Sievertsen Date: Sat, 20 Jun 2009 18:45:16 +0000 Subject: - [Feature] New "Newly Registered Users" group for assigning permissions to newly registered users. They will be removed from this group once they reach a defineable amount of posts. - [Feature] Ability to define if the "Newly Registered Users" group will be assigned as the default group to newly registered users. As a coincidence also Bug #46535 got fixed. Additionally the error message displayed with trigger_error() if accessing the private message tab in the ucp is now displayed inline in addition to a slightly different message for newly registered users to let them know that access permissions may be lifted over time. git-svn-id: file:///svn/phpbb/branches/phpBB-3_0_0@9636 89ea8834-ac86-4346-8a33-228a782c2dd0 --- phpBB/includes/auth/auth_apache.php | 1 + phpBB/includes/auth/auth_ldap.php | 1 + 2 files changed, 2 insertions(+) (limited to 'phpBB/includes/auth') diff --git a/phpBB/includes/auth/auth_apache.php b/phpBB/includes/auth/auth_apache.php index 930f5a0632..391e7abb0e 100644 --- a/phpBB/includes/auth/auth_apache.php +++ b/phpBB/includes/auth/auth_apache.php @@ -217,6 +217,7 @@ function user_row_apache($username, $password) 'group_id' => (int) $row['group_id'], 'user_type' => USER_NORMAL, 'user_ip' => $user->ip, + 'user_new' => ($config['new_member_post_limit']) ? 1 : 0, ); } diff --git a/phpBB/includes/auth/auth_ldap.php b/phpBB/includes/auth/auth_ldap.php index d49662fb2d..11c62ad0bc 100644 --- a/phpBB/includes/auth/auth_ldap.php +++ b/phpBB/includes/auth/auth_ldap.php @@ -227,6 +227,7 @@ function login_ldap(&$username, &$password) 'group_id' => (int) $row['group_id'], 'user_type' => USER_NORMAL, 'user_ip' => $user->ip, + 'user_new' => ($config['new_member_post_limit']) ? 1 : 0, ); unset($ldap_result); -- cgit v1.2.1 From 5f6db9584c4b2594c437a07c0ecd60390ff39d5e Mon Sep 17 00:00:00 2001 From: Chris Smith Date: Fri, 17 Jul 2009 13:21:03 +0000 Subject: Correct escaping/unescaping in the LDAP authentication plugin. #48175 git-svn-id: file:///svn/phpbb/branches/phpBB-3_0_0@9769 89ea8834-ac86-4346-8a33-228a782c2dd0 --- phpBB/includes/auth/auth_ldap.php | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) (limited to 'phpBB/includes/auth') diff --git a/phpBB/includes/auth/auth_ldap.php b/phpBB/includes/auth/auth_ldap.php index 11c62ad0bc..b70e644b14 100644 --- a/phpBB/includes/auth/auth_ldap.php +++ b/phpBB/includes/auth/auth_ldap.php @@ -63,9 +63,11 @@ function init_ldap() // ldap_connect only checks whether the specified server is valid, so the connection might still fail $search = @ldap_search( $ldap, - $config['ldap_base_dn'], + htmlspecialchars_decode($config['ldap_base_dn']), ldap_user_filter($user->data['username']), - (empty($config['ldap_email'])) ? array($config['ldap_uid']) : array($config['ldap_uid'], $config['ldap_email']), + (empty($config['ldap_email'])) ? + array(htmlspecialchars_decode($config['ldap_uid'])) : + array(htmlspecialchars_decode($config['ldap_uid']), htmlspecialchars_decode($config['ldap_email'])), 0, 1 ); @@ -85,7 +87,7 @@ function init_ldap() return sprintf($user->lang['LDAP_NO_IDENTITY'], $user->data['username']); } - if (!empty($config['ldap_email']) && !isset($result[0][$config['ldap_email']])) + if (!empty($config['ldap_email']) && !isset($result[0][htmlspecialchars_decode($config['ldap_email'])])) { return $user->lang['LDAP_NO_EMAIL']; } @@ -152,7 +154,7 @@ function login_ldap(&$username, &$password) if ($config['ldap_user'] || $config['ldap_password']) { - if (!@ldap_bind($ldap, $config['ldap_user'], htmlspecialchars_decode($config['ldap_password']))) + if (!@ldap_bind($ldap, htmlspecialchars_decode($config['ldap_user']), htmlspecialchars_decode($config['ldap_password']))) { return $user->lang['LDAP_NO_SERVER_CONNECTION']; } @@ -160,9 +162,11 @@ function login_ldap(&$username, &$password) $search = @ldap_search( $ldap, - $config['ldap_base_dn'], + htmlspecialchars_decode($config['ldap_base_dn']), ldap_user_filter($username), - (empty($config['ldap_email'])) ? array($config['ldap_uid']) : array($config['ldap_uid'], $config['ldap_email']), + (empty($config['ldap_email'])) ? + array(htmlspecialchars_decode($config['ldap_uid'])) : + array(htmlspecialchars_decode($config['ldap_uid']), htmlspecialchars_decode($config['ldap_email'])), 0, 1 ); @@ -223,7 +227,7 @@ function login_ldap(&$username, &$password) $ldap_user_row = array( 'username' => $username, 'user_password' => phpbb_hash($password), - 'user_email' => (!empty($config['ldap_email'])) ? $ldap_result[0][$config['ldap_email']][0] : '', + 'user_email' => (!empty($config['ldap_email'])) ? utf8_htmlspecialchars($ldap_result[0][htmlspecialchars_decode($config['ldap_email'])][0]) : '', 'group_id' => (int) $row['group_id'], 'user_type' => USER_NORMAL, 'user_ip' => $user->ip, -- cgit v1.2.1 From 94e29c3c170a1fd1e6c2794090232220ecb2d5f4 Mon Sep 17 00:00:00 2001 From: Chris Smith Date: Sat, 18 Jul 2009 21:20:20 +0000 Subject: Fix #45315 git-svn-id: file:///svn/phpbb/branches/phpBB-3_0_0@9783 89ea8834-ac86-4346-8a33-228a782c2dd0 --- phpBB/includes/auth/auth_ldap.php | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'phpBB/includes/auth') diff --git a/phpBB/includes/auth/auth_ldap.php b/phpBB/includes/auth/auth_ldap.php index b70e644b14..a6092baba5 100644 --- a/phpBB/includes/auth/auth_ldap.php +++ b/phpBB/includes/auth/auth_ldap.php @@ -281,7 +281,8 @@ function ldap_user_filter($username) $filter = '(' . $config['ldap_uid'] . '=' . ldap_escape(htmlspecialchars_decode($username)) . ')'; if ($config['ldap_user_filter']) { - $filter = "(&$filter({$config['ldap_user_filter']}))"; + $_filter = ($config['ldap_user_filter'][0] == '(' && substr($config['ldap_user_filter'], -1) == ')') ? $config['ldap_user_filter'] : "({$config['ldap_user_filter']})"; + $filter = "(&{$filter}{$_filter})"; } return $filter; } -- cgit v1.2.1 From bf2133d38038504a455a56ad18ddea2a879ad579 Mon Sep 17 00:00:00 2001 From: Henry Sudhof Date: Tue, 15 Sep 2009 09:08:37 +0000 Subject: #51395 - remove legacy captcha code. authorised by: acyd burn git-svn-id: file:///svn/phpbb/branches/phpBB-3_0_0@10143 89ea8834-ac86-4346-8a33-228a782c2dd0 --- phpBB/includes/auth/auth_db.php | 24 ++++++------------------ 1 file changed, 6 insertions(+), 18 deletions(-) (limited to 'phpBB/includes/auth') diff --git a/phpBB/includes/auth/auth_db.php b/phpBB/includes/auth/auth_db.php index 5dc141ff77..71f8a7c082 100644 --- a/phpBB/includes/auth/auth_db.php +++ b/phpBB/includes/auth/auth_db.php @@ -67,10 +67,12 @@ function login_db(&$username, &$password) // Every auth module is able to define what to do by itself... if ($config['max_login_attempts'] && $row['user_login_attempts'] >= $config['max_login_attempts']) { - $confirm_id = request_var('confirm_id', ''); - // Visual Confirmation handling - if (!$confirm_id) + + $captcha =& phpbb_captcha_factory::get_instance($config['captcha_plugin']); + $captcha->init(CONFIRM_LOGIN); + $vc_response = $captcha->validate(); + if ($vc_response) { return array( 'status' => LOGIN_ERROR_ATTEMPTS, @@ -78,21 +80,7 @@ function login_db(&$username, &$password) 'user_row' => $row, ); } - else - { - $captcha =& phpbb_captcha_factory::get_instance($config['captcha_plugin']); - $captcha->init(CONFIRM_LOGIN); - $vc_response = $captcha->validate(); - - if ($vc_response) - { - return array( - 'status' => LOGIN_ERROR_ATTEMPTS, - 'error_msg' => 'LOGIN_ERROR_ATTEMPTS', - 'user_row' => $row, - ); - } - } + } // If the password convert flag is set we need to convert it -- cgit v1.2.1 From 0139246ccb712339395fb5c6af0c2c84eaf38ed6 Mon Sep 17 00:00:00 2001 From: Henry Sudhof Date: Thu, 14 Jan 2010 22:55:38 +0000 Subject: make userdata available git-svn-id: file:///svn/phpbb/branches/phpBB-3_0_0@10406 89ea8834-ac86-4346-8a33-228a782c2dd0 --- phpBB/includes/auth/auth_db.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'phpBB/includes/auth') diff --git a/phpBB/includes/auth/auth_db.php b/phpBB/includes/auth/auth_db.php index 71f8a7c082..e49f3aa248 100644 --- a/phpBB/includes/auth/auth_db.php +++ b/phpBB/includes/auth/auth_db.php @@ -71,7 +71,7 @@ function login_db(&$username, &$password) $captcha =& phpbb_captcha_factory::get_instance($config['captcha_plugin']); $captcha->init(CONFIRM_LOGIN); - $vc_response = $captcha->validate(); + $vc_response = $captcha->validate($row); if ($vc_response) { return array( -- cgit v1.2.1 From ef2cd7b6c96ba1cf39f7ee6cc0655278c1e4a485 Mon Sep 17 00:00:00 2001 From: Henry Sudhof Date: Sun, 17 Jan 2010 16:46:41 +0000 Subject: Always require a fresh solved captcha, don't accept a stored solution. git-svn-id: file:///svn/phpbb/branches/phpBB-3_0_0@10411 89ea8834-ac86-4346-8a33-228a782c2dd0 --- phpBB/includes/auth/auth_db.php | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) (limited to 'phpBB/includes/auth') diff --git a/phpBB/includes/auth/auth_db.php b/phpBB/includes/auth/auth_db.php index e49f3aa248..10dcbe1c27 100644 --- a/phpBB/includes/auth/auth_db.php +++ b/phpBB/includes/auth/auth_db.php @@ -62,10 +62,11 @@ function login_db(&$username, &$password) 'user_row' => array('user_id' => ANONYMOUS), ); } + $show_captcha = $config['max_login_attempts'] && $row['user_login_attempts'] >= $config['max_login_attempts']; // If there are too much login attempts, we need to check for an confirm image // Every auth module is able to define what to do by itself... - if ($config['max_login_attempts'] && $row['user_login_attempts'] >= $config['max_login_attempts']) + if ($show_captcha) { // Visual Confirmation handling @@ -80,6 +81,10 @@ function login_db(&$username, &$password) 'user_row' => $row, ); } + else + { + $captcha->reset(); + } } @@ -189,8 +194,8 @@ function login_db(&$username, &$password) // Give status about wrong password... return array( - 'status' => LOGIN_ERROR_PASSWORD, - 'error_msg' => 'LOGIN_ERROR_PASSWORD', + 'status' => ($show_captcha) ? LOGIN_ERROR_ATTEMPTS : LOGIN_ERROR_PASSWORD, + 'error_msg' => ($show_captcha) ? 'LOGIN_ERROR_ATTEMPTS' : 'LOGIN_ERROR_PASSWORD', 'user_row' => $row, ); } -- cgit v1.2.1 From b4d8a0e538da4d357d246545d032a8907d7466c6 Mon Sep 17 00:00:00 2001 From: Henry Sudhof Date: Sun, 17 Jan 2010 16:48:46 +0000 Subject: spaces git-svn-id: file:///svn/phpbb/branches/phpBB-3_0_0@10412 89ea8834-ac86-4346-8a33-228a782c2dd0 --- phpBB/includes/auth/auth_db.php | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'phpBB/includes/auth') diff --git a/phpBB/includes/auth/auth_db.php b/phpBB/includes/auth/auth_db.php index 10dcbe1c27..e533f4db77 100644 --- a/phpBB/includes/auth/auth_db.php +++ b/phpBB/includes/auth/auth_db.php @@ -81,10 +81,10 @@ function login_db(&$username, &$password) 'user_row' => $row, ); } - else - { - $captcha->reset(); - } + else + { + $captcha->reset(); + } } -- cgit v1.2.1 From 0480a4e91e4da1a9494cd0b0370780fabed5479c Mon Sep 17 00:00:00 2001 From: Henry Sudhof Date: Sun, 17 Jan 2010 17:16:08 +0000 Subject: spaces git-svn-id: file:///svn/phpbb/branches/phpBB-3_0_0@10418 89ea8834-ac86-4346-8a33-228a782c2dd0 --- phpBB/includes/auth/auth_db.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'phpBB/includes/auth') diff --git a/phpBB/includes/auth/auth_db.php b/phpBB/includes/auth/auth_db.php index e533f4db77..13daf3ed61 100644 --- a/phpBB/includes/auth/auth_db.php +++ b/phpBB/includes/auth/auth_db.php @@ -62,7 +62,7 @@ function login_db(&$username, &$password) 'user_row' => array('user_id' => ANONYMOUS), ); } - $show_captcha = $config['max_login_attempts'] && $row['user_login_attempts'] >= $config['max_login_attempts']; + $show_captcha = $config['max_login_attempts'] && $row['user_login_attempts'] >= $config['max_login_attempts']; // If there are too much login attempts, we need to check for an confirm image // Every auth module is able to define what to do by itself... -- cgit v1.2.1 From f98ca7ce48f5c6fbdde428ee2d1ead7bd8d43772 Mon Sep 17 00:00:00 2001 From: Andreas Fischer Date: Wed, 20 Jan 2010 00:20:46 +0000 Subject: Make sure captcha factory is there. Make sure language array is there. git-svn-id: file:///svn/phpbb/branches/phpBB-3_0_0@10431 89ea8834-ac86-4346-8a33-228a782c2dd0 --- phpBB/includes/auth/auth_db.php | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'phpBB/includes/auth') diff --git a/phpBB/includes/auth/auth_db.php b/phpBB/includes/auth/auth_db.php index 13daf3ed61..73c4f92976 100644 --- a/phpBB/includes/auth/auth_db.php +++ b/phpBB/includes/auth/auth_db.php @@ -69,6 +69,11 @@ function login_db(&$username, &$password) if ($show_captcha) { // Visual Confirmation handling + if (!class_exists('phpbb_captcha_factory')) + { + global $phpbb_root_path, $phpEx; + include ($phpbb_root_path . 'includes/captcha/captcha_factory.' . $phpEx); + } $captcha =& phpbb_captcha_factory::get_instance($config['captcha_plugin']); $captcha->init(CONFIRM_LOGIN); -- cgit v1.2.1