* Filemanger: filemanager/cli.php wrongly reported wrong passwords for setup or config user with newer password hashes

2024-11-25 01:13:25 +01:00 · 2016-02-15 11:10:23 +00:00 · 2016-02-15 11:10:23 +00:00 · bc7fa3bc8b
commit bc7fa3bc8b
parent b5aeadf265
2 changed files with 33 additions and 35 deletions
--- a/filemanager/cli.php
+++ b/filemanager/cli.php
@ -15,7 +15,7 @@

 chdir(dirname(__FILE__));	// to enable our relative pathes to work

-error_reporting(error_reporting() & ~E_NOTICE);
+error_reporting(error_reporting() & ~E_NOTICE & ~E_DEPRECATED);

 if (php_sapi_name() !== 'cli')	// security precaution: forbit calling filemanager/cli.php as web-page
 {
@ -34,17 +34,22 @@ function user_pass_from_argv(&$account)
 	//print_r($account);
 	if (!($sessionid = $GLOBALS['egw']->session->create($account)))
 	{
-		echo "Wrong user-account or -password !!!\n\n";
-		usage('',1);
+		usage("Wrong username or -password!");
 	}
 	return $sessionid;
 }

 /**
 * Give a usage message and exit
+ *
+ * @param string $error_msg ='' error-message to be printed in front of usage
 */
-function usage()
+function usage($error_msg='')
 {
+	if ($error_msg)
+	{
+		echo "$error_msg\n\n";
+	}
 	$cmd = basename(__FILE__);
 	echo "Usage:\t$cmd ls [-r|--recursive|-l|--long|-i|--inode] URL [URL2 ...]\n";
 	echo "\t$cmd cat URL [URL2 ...]\n";
@ -100,7 +105,7 @@ while(!is_null($option = array_shift($args)))
 					'-empty','-size','-cmin','-ctime','-mmin','-mtime','-limit','-order','-sort',
 					'-hidden','-show-deleted','-name-preg','-path','-path-preg')))
 				{
-					usage();
+					usage("Unknown find option '$option'!");
 				}
 				if (in_array($option,array('-empty','-depth','-nouser','-nogroup','-hidden','-show-deleted')))
 				{
@ -182,7 +187,7 @@ switch($cmd)
 	case 'umount':
 		if ($argc != 1 && !$all)
 		{
-			usage();
+			usage('Wrong number of parameters!');
 		}
 		if (($url = $argv[0])) load_wrapper($url);
 		if(!egw_vfs::$is_root)
@ -206,7 +211,7 @@ switch($cmd)
 	case 'mount':
 		if ($argc > 2)
 		{
-			usage();
+			usage('Wrong number of parameters!');
 		}
 		load_wrapper($url=$argv[0]);

@ -249,7 +254,7 @@ switch($cmd)
 		break;

 	case 'rename':
-		if (count($argv) != 2) usage();
+		if (count($argv) != 2) usage('Wrong number of parameters!');
 		load_wrapper($argv[0]);
 		load_wrapper($argv[1]);
 		rename($argv[0],$argv[1]);
@ -535,10 +540,12 @@ function load_egw($user,$passwd,$domain='default')
 		$GLOBALS['egw_info']['flags']['currentapp'] = 'login';
 		include('../header.inc.php');

-		if ($user == 'root_'.$GLOBALS['egw_info']['server']['header_admin_user'] &&
-			_check_pw($GLOBALS['egw_info']['server']['header_admin_password'],$passwd) ||
-			$user == 'root_'.$GLOBALS['egw_domain'][$domain]['config_user'] &&
-			_check_pw($GLOBALS['egw_domain'][$domain]['config_passwd'],$passwd))
+		if (setup::check_auth($user, $passwd,
+				'root_'.$GLOBALS['egw_info']['server']['header_admin_user'],
+				$GLOBALS['egw_info']['server']['header_admin_password']) ||
+			setup::check_auth($user, $passwd,
+				'root_'.$GLOBALS['egw_domain'][$domain]['config_user'],
+				$GLOBALS['egw_domain'][$domain]['config_passwd']))
 		{
 			echo "\nRoot access granted!\n";
 			egw_vfs::$is_root = true;
@ -557,23 +564,6 @@ function load_egw($user,$passwd,$domain='default')
 	}
 }

-/**
- * Check password against a md5 hash or cleartext password
- *
- * @param string $hash_or_cleartext
- * @param string $pw
- * @return boolean
- */
-function _check_pw($hash_or_cleartext,$pw)
-{
-	//echo "_check_pw($hash_or_cleartext,$pw) md5=".md5($pw)."\n";
-	if (preg_match('/^[0-9a-f]{32}$/',$hash_or_cleartext))
-	{
-		return $hash_or_cleartext == md5($pw);
-	}
-	return $hash_or_cleartext == $pw;
-}
-
 /**
 * Set, delete or show the extended acl for a given path
 *
@ -585,7 +575,7 @@ function do_eacl(array $argv)

 	if ($argc < 1 || $argc > 3)
 	{
-		usage();
+		usage('Wrong number of parameters!');
 	}
 	load_wrapper($url = $argv[0]);
 	if (!class_exists('egw_vfs'))
@ -721,7 +711,7 @@ function do_cp($argv,$recursive=false,$perms=false)

 	if (count($argv) > 1 && $to_exists && !is_dir($to))
 	{
-		usage();
+		usage("No such directory '$to'!");
 	}
 	$anz_dirs = $anz_files = 0;
 	foreach($argv as $from)
@ -827,9 +817,17 @@ function do_lntree($from,$to)
 	if ($from[0] == '/') $from = 'sqlfs://default'.$from;
 	load_wrapper($from);

-	if (!file_exists($from) || $to[0] != '/' || file_exists($to) || !is_writable(dirname($to)))
+	if (!file_exists($from))
 	{
-		usage();
+		usage("Directory '$from' does NOT exist!");
+	}
+	elseif ($to[0] != '/' || file_exists($to))
+	{
+		usage("Directory '$to' does not exist!");
+	}
+	elseif (!is_writable(dirname($to)))
+	{
+		usage("Directory '$to' is not writable!");
 	}
 	egw_vfs::find($from, array(
 		'url' => true,
--- a/setup/inc/class.setup.inc.php
+++ b/setup/inc/class.setup.inc.php
@ -75,7 +75,7 @@ class setup
 	 */
 	var $recommended_php_version = '5.6';

-	function setup($html=False, $translation=False)
+	function __construct($html=False, $translation=False)
 	{
 		// setup us as $GLOBALS['egw_setup'], as this gets used in our sub-objects
 		$GLOBALS['egw_setup'] =& $this;
@ -362,7 +362,7 @@ class setup
    * @param string $hash hash to check password agains (no {prefix} for plain and md5!)
    * @returns bool true on success
    */
-	function check_auth($user, $pw, $conf_user, $hash)
+	static function check_auth($user, $pw, $conf_user, $hash)
 	{
 		if ($user !== $conf_user)
 		{