added password check to shares

This commit is contained in:
Ralf Becker 2014-12-04 11:25:56 +00:00
parent cf9326391c
commit 3f50472828
2 changed files with 40 additions and 12 deletions

View File

@ -99,16 +99,7 @@ class egw_digest_auth
(preg_match('/[^\x20-\x7F]/', $password) || strpos($password, '\\x') !== false) &&
!$GLOBALS['egw']->auth->authenticate($username, $password, 'text'))
{
// replace \x encoded non-ascii chars in password, as they are used eg. by Thunderbird for German umlauts
if (strpos($password, '\\x') !== false)
{
$password = preg_replace_callback('/\\\\x([0-9A-F]{2})/i', function($matches){
return chr(hexdec($matches[1]));
}, $password);
}
// try translating the password from iso-8859-1 to utf-8
$password = translation::convert($password, 'iso-8859-1');
//error_log(__METHOD__."() Fixed non-ascii password of user '$username' from '$_SERVER[PHP_AUTH_PW]' to '$password'");
self::decode_password($password);
}
// create session without session cookie (session->create(..., true), as we use pseudo sessionid from credentials
if (!isset($username) || !($sessionid = $GLOBALS['egw']->session->create($username, $password, 'text', true)))
@ -126,6 +117,32 @@ class egw_digest_auth
return $sessionid;
}
/**
* Decode password containing non-ascii chars
*
* @param string &$password
* @return boolean true if conversation happend, false if there was no need for a conversation
*/
public static function decode_password(&$password)
{
// if given password contains non-ascii chars AND we can not authenticate with it
if (preg_match('/[^\x20-\x7F]/', $password) || strpos($password, '\\x') !== false)
{
// replace \x encoded non-ascii chars in password, as they are used eg. by Thunderbird for German umlauts
if (strpos($password, '\\x') !== false)
{
$password = preg_replace_callback('/\\\\x([0-9A-F]{2})/i', function($matches){
return chr(hexdec($matches[1]));
}, $password);
}
// try translating the password from iso-8859-1 to utf-8
$password = translation::convert($password, 'iso-8859-1');
//error_log(__METHOD__."() Fixed non-ascii password of user '$username' from '$_SERVER[PHP_AUTH_PW]' to '$password'");
return true;
}
return false;
}
/**
* Check if digest auth is available for a given realm (and user): do we use cleartext passwords
*

View File

@ -16,7 +16,6 @@
* Token generation uses openssl_random_pseudo_bytes, if available, otherwise
* mt_rand based auth::randomstring is used.
*
* @todo UI to create shares
* @todo handle existing user sessions eg. by mounting share under it's token into vfs and redirect to regular filemanager
* @todo handle mounts inside shared directory (they get currently lost)
* @todo handle absolute symlinks (wont work as we use share as root)
@ -138,7 +137,19 @@ class egw_sharing
echo "Requested resource '/".htmlspecialchars($token)."' does NOT exist!\n";
common::egw_exit();
}
// ToDo: password check, if required
// check password, if required
if ($share['share_passwd'] && (empty($_SERVER['PHP_AUTH_PW']) ||
!auth::compare_password($_SERVER['PHP_AUTH_PW'], $share['share_passwd'], 'crypt')))
{
$realm = 'EGroupware share '.$share['share_token'];
header('WWW-Authenticate: Basic realm="'.$realm.'"');
$status = '401 Unauthorized';
header("HTTP/1.1 $status");
header("X-WebDAV-Status: $status", true);
echo "<html>\n<head>\n<title>401 Unauthorized</title>\n<body>\nAuthorization failed.\n</body>\n</html>\n";
common::egw_exit();
}
// create session without checking auth: create(..., false, false)
if (!($sessionid = $GLOBALS['egw']->session->create('anonymous', '', 'text', false, false)))