added password check to shares

phpgwapi/inc/class.egw_digest_auth.inc.php

@@ -99,16 +99,7 @@ class egw_digest_auth
 			(preg_match('/[^\x20-\x7F]/', $password) || strpos($password, '\\x') !== false) &&
 			!$GLOBALS['egw']->auth->authenticate($username, $password, 'text'))
 		{
-			// replace \x encoded non-ascii chars in password, as they are used eg. by Thunderbird for German umlauts
-			if (strpos($password, '\\x') !== false)
-			{
-				$password = preg_replace_callback('/\\\\x([0-9A-F]{2})/i', function($matches){
-					return chr(hexdec($matches[1]));
-				}, $password);
-			}
-			// try translating the password from iso-8859-1 to utf-8
-			$password = translation::convert($password, 'iso-8859-1');
-			//error_log(__METHOD__."() Fixed non-ascii password of user '$username' from '$_SERVER[PHP_AUTH_PW]' to '$password'");
+			self::decode_password($password);
 		}
 		// create session without session cookie (session->create(..., true), as we use pseudo sessionid from credentials
 		if (!isset($username) || !($sessionid = $GLOBALS['egw']->session->create($username, $password, 'text', true)))
@@ -126,6 +117,32 @@ class egw_digest_auth
 		return $sessionid;
 	}
 
+	/**
+	 * Decode password containing non-ascii chars
+	 *
+	 * @param string &$password
+	 * @return boolean true if conversation happend, false if there was no need for a conversation
+	 */
+	public static function decode_password(&$password)
+	{
+		// if given password contains non-ascii chars AND we can not authenticate with it
+		if (preg_match('/[^\x20-\x7F]/', $password) || strpos($password, '\\x') !== false)
+		{
+			// replace \x encoded non-ascii chars in password, as they are used eg. by Thunderbird for German umlauts
+			if (strpos($password, '\\x') !== false)
+			{
+				$password = preg_replace_callback('/\\\\x([0-9A-F]{2})/i', function($matches){
+					return chr(hexdec($matches[1]));
+				}, $password);
+			}
+			// try translating the password from iso-8859-1 to utf-8
+			$password = translation::convert($password, 'iso-8859-1');
+			//error_log(__METHOD__."() Fixed non-ascii password of user '$username' from '$_SERVER[PHP_AUTH_PW]' to '$password'");
+			return true;
+		}
+		return false;
+	}
+
 	/**
 	 * Check if digest auth is available for a given realm (and user): do we use cleartext passwords
 	 *

phpgwapi/inc/class.egw_sharing.inc.php

@@ -16,7 +16,6 @@
  * Token generation uses openssl_random_pseudo_bytes, if available, otherwise
  * mt_rand based auth::randomstring is used.
  *
- * @todo UI to create shares
  * @todo handle existing user sessions eg. by mounting share under it's token into vfs and redirect to regular filemanager
  * @todo handle mounts inside shared directory (they get currently lost)
  * @todo handle absolute symlinks (wont work as we use share as root)
@@ -138,7 +137,19 @@ class egw_sharing
 			echo "Requested resource '/".htmlspecialchars($token)."' does NOT exist!\n";
 			common::egw_exit();
 		}
-		// ToDo: password check, if required
+
+		// check password, if required
+		if ($share['share_passwd'] && (empty($_SERVER['PHP_AUTH_PW']) ||
+			!auth::compare_password($_SERVER['PHP_AUTH_PW'], $share['share_passwd'], 'crypt')))
+		{
+			$realm = 'EGroupware share '.$share['share_token'];
+			header('WWW-Authenticate: Basic realm="'.$realm.'"');
+			$status = '401 Unauthorized';
+			header("HTTP/1.1 $status");
+			header("X-WebDAV-Status: $status", true);
+			echo "<html>\n<head>\n<title>401 Unauthorized</title>\n<body>\nAuthorization failed.\n</body>\n</html>\n";
+			common::egw_exit();
+		}
 
 		// create session without checking auth: create(..., false, false)
 		if (!($sessionid = $GLOBALS['egw']->session->create('anonymous', '', 'text', false, false)))