From a658d7c8ed6930167b90d943c435b55938d42931 Mon Sep 17 00:00:00 2001 From: Ralf Becker Date: Sun, 9 Nov 2008 16:15:42 +0000 Subject: [PATCH] Store config_user&_passwd of domain as hash, to be able to use them inside eGW (without having them in cleartext available) --- phpgwapi/inc/class.egw_session.inc.php | 21 +++++++++++++++++++++ phpgwapi/inc/functions.inc.php | 8 +++++++- 2 files changed, 28 insertions(+), 1 deletion(-) diff --git a/phpgwapi/inc/class.egw_session.inc.php b/phpgwapi/inc/class.egw_session.inc.php index 6737595a1c..149d30f7ff 100644 --- a/phpgwapi/inc/class.egw_session.inc.php +++ b/phpgwapi/inc/class.egw_session.inc.php @@ -1301,6 +1301,27 @@ class egw_session } } + /** + * Create a hash from user and pw + * + * Can be used to check setup config user/password inside egroupware: + * + * if (egw_session::user_pw_hash($user,$pw) === $GLOBALS['egw_info']['server']['config_hash']) + * + * @param string $user username + * @param string $password password or md5 hash of password if $allow_password_md5 + * @param boolean $allow_password_md5=false can password alread be an md5 hash + * @return string + */ + static function user_pw_hash($user,$password,$allow_password_md5=false) + { + $password_md5 = $allow_password_md5 && preg_match('/^[a-f0-9]{32}$/',$password) ? $password : md5($password); + + $hash = sha1(strtolower($user).$password_md5); + //echo "

".__METHOD__."('$user','$password',$allow_password_md5) sha1('".strtolower($user)."$password_md5')='$hash'

\n"; + return $hash; + } + /* * Funtions to access the used session-handler, specified in header.inc.php: $GLOBALS['egw_info']['server']['session_handler'] */ diff --git a/phpgwapi/inc/functions.inc.php b/phpgwapi/inc/functions.inc.php index ac9370da45..42bd864983 100644 --- a/phpgwapi/inc/functions.inc.php +++ b/phpgwapi/inc/functions.inc.php @@ -123,9 +123,15 @@ print_debug('domain',@$GLOBALS['egw_info']['user']['domain'],'api'); // the egw-object instanciates all sub-classes (eg. $GLOBALS['egw']->db) and the egw_info array $GLOBALS['egw'] = new egw(array_keys($GLOBALS['egw_domain'])); +// store domain config user&pw as a hash (originals get unset) +$GLOBALS['egw_info']['server']['config_hash'] = egw_session::user_pw_hash($GLOBALS['egw_domain'][$GLOBALS['egw_info']['user']['domain']]['config_user'], + $GLOBALS['egw_domain'][$GLOBALS['egw_info']['user']['domain']]['config_passwd'],true); + if ($GLOBALS['egw_info']['flags']['currentapp'] != 'login' && !$GLOBALS['egw_info']['server']['show_domain_selectbox']) { - unset ($GLOBALS['egw_domain']); // we kill this for security reasons + unset($GLOBALS['egw_domain']); // we kill this for security reasons + unset($GLOBALS['egw_info']['server']['header_admin_user']); + unset($GLOBALS['egw_info']['server']['header_admin_password']); } // saving the the egw_info array and the egw-object in the session