diff --git a/phpgwapi/inc/class.common.inc.php b/phpgwapi/inc/class.common.inc.php index 4083509666..38cdc40a0c 100644 --- a/phpgwapi/inc/class.common.inc.php +++ b/phpgwapi/inc/class.common.inc.php @@ -41,9 +41,8 @@ */ class common { - var $crypto; - var $debug_info; // An array with debugging info from the API - + var $debug_info; // An array with debugging info from the API + /*! @function cmp_version @abstract Compares two Version strings and return 1 if str2 is newest (bigger version number) than str1 @@ -906,11 +905,11 @@ include(PHPGW_API_INC . '/footer.inc.php'); } - // Clean up mcrypt - if (@is_object($this->crypto)) + /* Clean up mcrypt */ + if (@is_object($GLOBALS['phpgw']->crypto)) { - $this->crypto->cleanup(); - unset($this->crypto); + $GLOBALS['phpgw']->crypto->cleanup(); + unset($GLOBALS['phpgw']->crypto); } } @@ -919,6 +918,7 @@ $len = strlen($data); return pack('H' . $len, $data); } + /*! @function encrypt @abstract encrypt data passed to the function @@ -937,6 +937,7 @@ { return $GLOBALS['phpgw']->crypto->decrypt($data); } + /*! @function des_cryptpasswd @abstract des encrypt a password @@ -960,10 +961,9 @@ function md5_cryptpasswd($userpass, $random) { $bsalt = '$1$'; - $esalt = '$'; // patch + $esalt = '$'; $lcrypt = '{crypt}'; - // $modsalt = sprintf('%s%s', $bsalt, $random); - $modsalt = sprintf('%s%s%s', $bsalt, $random, $esalt); // patch + $modsalt = sprintf('%s%s%s', $bsalt, $random, $esalt); $password = crypt($userpass, $modsalt); $ldappassword = sprintf('%s%s', $lcrypt, $password); @@ -984,8 +984,7 @@ } if ($GLOBALS['phpgw_info']['server']['ldap_encryption_type'] == 'MD5') { - //$salt = $this->randomstring(9); - $salt = $this->randomstring(8); // patch + $salt = $this->randomstring(8); $e_password = $this->md5_cryptpasswd($password, $salt); } return $e_password; @@ -1059,9 +1058,9 @@ { include($f); } - } // if - } // while - } // if + } + } + } else { reset ($GLOBALS['phpgw_info']['user']['apps']); @@ -1075,10 +1074,10 @@ { include($f); } - } // if - } // while - } // if $no_permission_check - } // function + } + } + } + } /*! @function hook_single @@ -1121,7 +1120,7 @@ while ($permission = each($GLOBALS['phpgw_info']['user']['apps'])) { $f = PHPGW_SERVER_ROOT . $SEP . $permission[0] . $SEP . 'inc' . $SEP . 'hook_' . $location . '.inc.php'; - + if (file_exists($f)) { ++$count; @@ -1168,6 +1167,7 @@ } return date($format,$t); } + /*! @function dateformatorder @abstract @@ -1195,6 +1195,7 @@ return (implode(' ',$dlarr)); } } + /*! @function formattime @abstract format the time takes settings from user preferences @@ -1240,29 +1241,6 @@ return "$h12:$min$sec$ampm"; } - /* If the above still works, please remove this */ - function old_formattime($hour,$min,$sec='') - { - $h12 = $hour; - if ($GLOBALS['phpgw_info']['user']['preferences']['common']['timeformat'] == '12') { - if ($hour >= 12) - $ampm = ' pm'; - else - $ampm = ' am'; - $h12 %= 12; - if ($h12 == 0 && $hour) - $h12 = 12; - if ($h12 == 0 && ! $hour) - $h12 = 0; - } else - $h12 = $hour; - - if ($sec) - $sec = ":$sec"; - - return "$h12:$min$sec$ampm"; - } - // This is not the best place for it, but it needs to be shared bewteen Aeromail and SM /*! @function get_email_passwd_ex @@ -1300,7 +1278,6 @@ return $email_passwd; } */ - // This is not the best place for it, but it needs to be shared bewteen Aeromail and SM /*! @@ -1308,7 +1285,7 @@ @abstract create email preferences @discussion This is not the best place for it, but it needs to be shared between Aeromail and SM @param $prefs - @param $account_id -optional defaults to : phpgw_info['user']['account_id'] + @param $account_id -optional defaults to : phpgw_info['user']['account_id'] */ function create_emailpreferences($prefs='',$accountid='') { @@ -1324,7 +1301,7 @@ $do_free_me = True; } - // this sets the prederences into the phpgw_info structure + // this sets the preferences into the phpgw_info structure $GLOBALS['phpgw']->msg->create_email_preferences(); // cleanup and return @@ -1410,8 +1387,6 @@ } */ - - // This will be moved into the applications area. /*! @function check_code diff --git a/phpgwapi/inc/class.crypto.inc.php b/phpgwapi/inc/class.crypto.inc.php index 8870c81047..650788cead 100644 --- a/phpgwapi/inc/class.crypto.inc.php +++ b/phpgwapi/inc/class.crypto.inc.php @@ -34,15 +34,22 @@ var $td = False; /* Handle for mcrypt */ var $iv = ''; var $key = ''; - var $debug = True; var $debug = False; - function crypto($vars) + function crypto($vars='') + { + if(is_array($vars)) + { + $this->init($vars); + } + } + + function init($vars) { /* _debug_array(mcrypt_list_algorithms()); */ - $key = $vars[0]; $iv = $vars[1]; + if ($GLOBALS['phpgw_info']['server']['mcrypt_enabled'] && extension_loaded('mcrypt')) { if($GLOBALS['phpgw_info']['server']['mcrypt_algo']) @@ -127,7 +134,7 @@ echo '
' . time() . ' crypto->encrypt() unencrypted data: ---->>>>' . $data . "\n"; } - if(gettype($data) == 'array' || gettype($data) == 'object') + if(is_array($data) || is_object($data)) { if($this->debug) { diff --git a/phpgwapi/inc/class.sessions.inc.php b/phpgwapi/inc/class.sessions.inc.php index 354cdd42d1..953479e3fa 100644 --- a/phpgwapi/inc/class.sessions.inc.php +++ b/phpgwapi/inc/class.sessions.inc.php @@ -39,6 +39,9 @@ var $session_flags; var $sessionid; var $kp3; + var $key; + var $iv; + var $data; var $db; var $db2; @@ -56,6 +59,9 @@ $this->db2 = $GLOBALS['phpgw']->db; $this->sessionid = (isset($GLOBALS['HTTP_GET_VARS']['sessionid'])?$GLOBALS['HTTP_GET_VARS']['sessionid']:(isset($GLOBALS['HTTP_COOKIE_VARS']['sessionid'])?$GLOBALS['HTTP_COOKIE_VARS']['sessionid']:'')); $this->kp3 = (isset($GLOBALS['HTTP_GET_VARS']['kp3'])?$GLOBALS['HTTP_GET_VARS']['kp3']:(isset($GLOBALS['HTTP_COOKIE_VARS']['kp3'])?$GLOBALS['HTTP_COOKIE_VARS']['kp3']:'')); + + /* Create the crypto object */ + $GLOBALS['phpgw']->crypto = CreateObject('phpgwapi.crypto'); } function DONTlist_methods($_type) @@ -121,14 +127,7 @@ $this->sessionid = $sessionid; $this->kp3 = $kp3; - $GLOBALS['phpgw']->common->key = md5($this->kp3 . $this->sessionid . $GLOBALS['phpgw_info']['server']['encryptkey']); - $GLOBALS['phpgw']->common->iv = $GLOBALS['phpgw_info']['server']['mcrypt_iv']; - - $cryptovars[0] = $GLOBALS['phpgw']->common->key; - $cryptovars[1] = $GLOBALS['phpgw']->common->iv; - $GLOBALS['phpgw']->crypto = CreateObject('phpgwapi.crypto', $cryptovars); - - $db->query("select * from phpgw_sessions where session_id='" . $this->sessionid . "'",__LINE__,__FILE__); + $db->query("SELECT * FROM phpgw_sessions WHERE session_id='" . $this->sessionid . "'",__LINE__,__FILE__); $db->next_record(); $this->session_flags = $db->f('session_flags'); @@ -180,6 +179,11 @@ return False; } + /* init the crypto object before appsession call below */ + $this->key = md5($this->kp3 . $this->sessionid . $GLOBALS['phpgw_info']['server']['encryptkey']); + $this->iv = $GLOBALS['phpgw_info']['server']['mcrypt_iv']; + $GLOBALS['phpgw']->crypto->init(array($this->key,$this->iv)); + $GLOBALS['phpgw_info']['user'] = $this->user; $GLOBALS['phpgw_info']['hooks'] = $this->hooks; @@ -200,6 +204,11 @@ $GLOBALS['phpgw']->log->commit(); } + if(is_object($GLOBALS['phpgw']->crypto)) + { + $GLOBALS['phpgw']->crypto->cleanup(); + unset($GLOBALS['phpgw']->crypto); + } return False; } @@ -220,6 +229,11 @@ $GLOBALS['phpgw']->log->commit(); } + if(is_object($GLOBALS['phpgw']->crypto)) + { + $GLOBALS['phpgw']->crypto->cleanup(); + unset($GLOBALS['phpgw']->crypto); + } return False; } } @@ -242,6 +256,11 @@ $GLOBALS['phpgw']->log->commit(); } + if(is_object($GLOBALS['phpgw']->crypto)) + { + $GLOBALS['phpgw']->crypto->cleanup(); + unset($GLOBALS['phpgw']->crypto); + } return False; } else @@ -256,11 +275,11 @@ // If you plan on using the cron apps, please remove the following lines. // I am going to make this a config option durring 0.9.11, instead of an application (jengo) - $GLOBALS['phpgw']->db->query("delete from phpgw_sessions where session_dla <= '" . (time() - 7200) - . "' and session_flags !='A'",__LINE__,__FILE__); + $GLOBALS['phpgw']->db->query("DELETE FROM phpgw_sessions WHERE session_dla <= '" . (time() - 7200) + . "' AND session_flags !='A'",__LINE__,__FILE__); // This is set a little higher, we don't want to kill session data for anonymous sessions. - $GLOBALS['phpgw']->db->query("delete from phpgw_app_sessions where session_dla <= '" . (time() - 86400) + $GLOBALS['phpgw']->db->query("DELETE FROM phpgw_app_sessions WHERE session_dla <= '" . (time() - 86400) . "'",__LINE__,__FILE__); } @@ -316,14 +335,8 @@ $GLOBALS['phpgw_info']['user']['account_id'] = $this->account_id; $GLOBALS['phpgw']->accounts->accounts($this->account_id); - $this->sessionid = md5($GLOBALS['phpgw']->common->randomstring(10)); - $this->kp3 = md5($GLOBALS['phpgw']->common->randomstring(15)); - - $GLOBALS['phpgw']->common->key = md5($this->kp3 . $this->sessionid . $GLOBALS['phpgw_info']['server']['encryptkey']); - $GLOBALS['phpgw']->common->iv = $GLOBALS['phpgw_info']['server']['mcrypt_iv']; - $cryptovars[0] = $GLOBALS['phpgw']->common->key; - $cryptovars[1] = $GLOBALS['phpgw']->common->iv; - $GLOBALS['phpgw']->crypto = CreateObject('phpgwapi.crypto', $cryptovars); + $this->sessionid = md5($GLOBALS['phpgw']->common->randomstring(10)); + $this->kp3 = md5($GLOBALS['phpgw']->common->randomstring(15)); if ($GLOBALS['phpgw_info']['server']['usecookies']) { @@ -333,13 +346,13 @@ Setcookie('last_domain',$this->account_domain,$now+1209600); if ($this->account_domain == $GLOBALS['phpgw_info']['server']['default_domain']) { - Setcookie('last_loginid', $this->account_lid ,$now+1209600); // For 2 weeks + Setcookie('last_loginid', $this->account_lid ,$now+1209600); /* For 2 weeks */ } else { - Setcookie('last_loginid', $login ,$now+1209600); // For 2 weeks + Setcookie('last_loginid', $login ,$now+1209600); /* For 2 weeks */ } - unset ($GLOBALS['phpgw_info']['server']['default_domain']); // we kill this for security reasons + unset($GLOBALS['phpgw_info']['server']['default_domain']); /* we kill this for security reasons */ } $this->read_repositories(False); @@ -359,6 +372,11 @@ return False; } + /* init the crypto object */ + $this->key = md5($this->kp3 . $this->sessionid . $GLOBALS['phpgw_info']['server']['encryptkey']); + $this->iv = $GLOBALS['phpgw_info']['server']['mcrypt_iv']; + $GLOBALS['phpgw']->crypto->init(array($this->key,$this->iv)); + $GLOBALS['phpgw_info']['user'] = $this->user; $GLOBALS['phpgw_info']['hooks'] = $this->hooks; @@ -372,16 +390,16 @@ $session_flags = 'N'; } - $user_ip = $this->getuser_ip(); + $user_ip = $this->getuser_ip(); $GLOBALS['phpgw']->db->transaction_begin(); - $GLOBALS['phpgw']->db->query("insert into phpgw_sessions values ('" . $this->sessionid + $GLOBALS['phpgw']->db->query("INSERT INTO phpgw_sessions VALUES ('" . $this->sessionid . "','".$login."','" . $user_ip . "','" . $now . "','" . $now . "','" . $GLOBALS['PHP_SELF'] . "','" . $session_flags . "')",__LINE__,__FILE__); - $GLOBALS['phpgw']->db->query('insert into phpgw_access_log(sessionid,loginid,ip,li,lo,account_id) ' - ." values ('" . $this->sessionid . "','" . "$login','" . $user_ip . "',".$now.",''," . $this->account_id . ")",__LINE__,__FILE__); + $GLOBALS['phpgw']->db->query('INSERT INTO phpgw_access_log(sessionid,loginid,ip,li,lo,account_id) ' + ." VALUES ('" . $this->sessionid . "','" . "$login','" . $user_ip . "',".$now.",''," . $this->account_id . ")",__LINE__,__FILE__); $this->appsession('account_previous_login','phpgwapi',$GLOBALS['phpgw']->auth->previous_login); $GLOBALS['phpgw']->auth->update_lastlogin($this->account_id,$user_ip); @@ -398,14 +416,7 @@ $this->sessionid = $sessionid; $this->kp3 = $kp3; - $GLOBALS['phpgw']->common->key = md5($this->kp3 . $this->sessionid . $GLOBALS['phpgw_info']['server']['encryptkey']); - $GLOBALS['phpgw']->common->iv = $GLOBALS['phpgw_info']['server']['mcrypt_iv']; - - $cryptovars[0] = $GLOBALS['phpgw']->common->key; - $cryptovars[1] = $GLOBALS['phpgw']->common->iv; - $GLOBALS['phpgw']->crypto = CreateObject('phpgwapi.crypto', $cryptovars); - - $db->query("select * from phpgw_sessions where session_id='" . $this->sessionid . "'",__LINE__,__FILE__); + $db->query("SELECT * FROM phpgw_sessions WHERE session_id='" . $this->sessionid . "'",__LINE__,__FILE__); $db->next_record(); $this->session_flags = $db->f('session_flags'); @@ -423,12 +434,15 @@ } $GLOBALS['phpgw_info']['user']['kp3'] = $this->kp3; - $phpgw_info_flags = $GLOBALS['phpgw_info']['flags']; + $phpgw_info_flags = $GLOBALS['phpgw_info']['flags']; $GLOBALS['phpgw_info']['flags'] = $phpgw_info_flags; $userid_array = explode('@',$db->f('session_lid')); // Thinking this might solve auth_http problems - if(@$userid_array[1] == '') { $userid_array[1] = 'default'; } + if(@$userid_array[1] == '') + { + $userid_array[1] = 'default'; + } $this->account_lid = $userid_array[1]; $this->update_dla(); $this->account_id = $GLOBALS['phpgw']->interserver->name2id($this->account_lid); @@ -442,10 +456,15 @@ $this->read_repositories(@$GLOBALS['phpgw_info']['server']['cache_phpgw_info']); + /* init the crypto object before appsession call below */ + $this->key = md5($this->kp3 . $this->sessionid . $GLOBALS['phpgw_info']['server']['encryptkey']); + $this->iv = $GLOBALS['phpgw_info']['server']['mcrypt_iv']; + $GLOBALS['phpgw']->crypto->init(array($this->key,$this->iv)); + $GLOBALS['phpgw_info']['user'] = $this->user; $GLOBALS['phpgw_info']['hooks'] = $this->hooks; - $GLOBALS['phpgw_info']['user']['session_ip'] = $db->f('session_ip'); + $GLOBALS['phpgw_info']['user']['session_ip'] = $db->f('session_ip'); $GLOBALS['phpgw_info']['user']['passwd'] = base64_decode($this->appsession('password','phpgwapi')); if ($userid_array[1] != $GLOBALS['phpgw_info']['user']['domain']) @@ -462,6 +481,11 @@ $GLOBALS['phpgw']->log->commit(); } + if(is_object($GLOBALS['phpgw']->crypto)) + { + $GLOBALS['phpgw']->crypto->cleanup(); + unset($GLOBALS['phpgw']->crypto); + } return False; } @@ -482,6 +506,11 @@ $GLOBALS['phpgw']->log->commit(); } + if(is_object($GLOBALS['phpgw']->crypto)) + { + $GLOBALS['phpgw']->crypto->cleanup(); + unset($GLOBALS['phpgw']->crypto); + } return False; } } @@ -504,6 +533,11 @@ $GLOBALS['phpgw']->log->commit(); } + if(is_object($GLOBALS['phpgw']->crypto)) + { + $GLOBALS['phpgw']->crypto->cleanup(); + unset($GLOBALS['phpgw']->crypto); + } return False; } else @@ -549,14 +583,13 @@ $GLOBALS['phpgw_info']['user']['account_id'] = $this->account_id; $GLOBALS['phpgw']->interserver->serverid = $this->account_id; - $this->sessionid = md5($GLOBALS['phpgw']->common->randomstring(10)); - $this->kp3 = md5($GLOBALS['phpgw']->common->randomstring(15)); + $this->sessionid = md5($GLOBALS['phpgw']->common->randomstring(10)); + $this->kp3 = md5($GLOBALS['phpgw']->common->randomstring(15)); - $GLOBALS['phpgw']->common->key = md5($this->kp3 . $this->sessionid . $GLOBALS['phpgw_info']['server']['encryptkey']); - $GLOBALS['phpgw']->common->iv = $GLOBALS['phpgw_info']['server']['mcrypt_iv']; - $cryptovars[0] = $GLOBALS['phpgw']->common->key; - $cryptovars[1] = $GLOBALS['phpgw']->common->iv; - $GLOBALS['phpgw']->crypto = CreateObject('phpgwapi.crypto', $cryptovars); + /* re-init the crypto object */ + $this->key = md5($this->kp3 . $this->sessionid . $GLOBALS['phpgw_info']['server']['encryptkey']); + $this->iv = $GLOBALS['phpgw_info']['server']['mcrypt_iv']; + $GLOBALS['phpgw']->crypto->init(array($this->key,$this->iv)); //$this->read_repositories(False); @@ -566,7 +599,7 @@ $this->appsession('password','phpgwapi',base64_encode($this->passwd)); $session_flags = 'S'; - $user_ip = $this->getuser_ip(); + $user_ip = $this->getuser_ip(); $GLOBALS['phpgw']->db->transaction_begin(); $GLOBALS['phpgw']->db->query("INSERT INTO phpgw_sessions VALUES ('" . $this->sessionid @@ -597,11 +630,11 @@ $action = $PHP_SELF; } - $GLOBALS['phpgw']->db->query("update phpgw_sessions set session_dla='" . time() . "', session_action='$action' " - . "where session_id='" . $this->sessionid."'",__LINE__,__FILE__); + $GLOBALS['phpgw']->db->query("UPDATE phpgw_sessions SET session_dla='" . time() . "', session_action='$action' " + . "WHERE session_id='" . $this->sessionid."'",__LINE__,__FILE__); - $GLOBALS['phpgw']->db->query("update phpgw_app_sessions set session_dla='" . time() . "' " - . "where sessionid='" . $this->sessionid."'",__LINE__,__FILE__); + $GLOBALS['phpgw']->db->query("UPDATE phpgw_app_sessions SET session_dla='" . time() . "' " + . "WHERE sessionid='" . $this->sessionid."'",__LINE__,__FILE__); return True; } @@ -613,11 +646,11 @@ } $GLOBALS['phpgw']->db->transaction_begin(); - $GLOBALS['phpgw']->db->query("delete from phpgw_sessions where session_id='" + $GLOBALS['phpgw']->db->query("DELETE FROM phpgw_sessions WHERE session_id='" . $sessionid . "'",__LINE__,__FILE__); - $GLOBALS['phpgw']->db->query("delete from phpgw_app_sessions where sessionid='" + $GLOBALS['phpgw']->db->query("DELETE FROM phpgw_app_sessions WHERE sessionid='" . $sessionid . "'",__LINE__,__FILE__); - $GLOBALS['phpgw']->db->query("update phpgw_access_log set lo='" . time() . "' where sessionid='" + $GLOBALS['phpgw']->db->query("UPDATE phpgw_access_log SET lo='" . time() . "' WHERE sessionid='" . $sessionid . "'",__LINE__,__FILE__); // Only do the following, if where working with the current user @@ -691,7 +724,7 @@ $account_id = get_account_id($accountid,$this->account_id); $query = "DELETE FROM phpgw_app_sessions WHERE loginid = '".$account_id."'" - ." AND app = 'phpgwapi' and location = 'phpgw_info_cache'"; + ." AND app = 'phpgwapi' AND location = 'phpgw_info_cache'"; $GLOBALS['phpgw']->db->query($query); } @@ -734,10 +767,10 @@ // Changed by milosch 2001 Dec 20 // do not stripslashes here unless this proves to be a problem. // Changed by milosch 2001 Dec 25 - // do not decrypt and return if no data (decrypt returning garbage) + /* do not decrypt and return if no data (decrypt returning garbage) */ if($data) { - $data = $GLOBALS['phpgw']->common->decrypt($data); + $data = $GLOBALS['phpgw']->crypto->decrypt($data); //echo 'appsession returning: '; _debug_array($data); return $data; } @@ -749,8 +782,6 @@ . " AND app = '".$appname."' AND location = '".$location."'",__LINE__,__FILE__); $encrypteddata = $GLOBALS['phpgw']->crypto->encrypt($data); - // Added by milosch 2001 Dec 20 - // Use db_addslashes to slash this $encrypteddata = $GLOBALS['phpgw']->db->db_addslashes($encrypteddata); if ($GLOBALS['phpgw']->db->num_rows()==0) @@ -837,8 +868,6 @@ \*************************************************************************/ function link($url, $extravars = '') { - global $usercookie; - $kp3 = $GLOBALS['HTTP_GET_VARS']['kp3'] ? $GLOBALS['HTTP_GET_VARS']['kp3'] : $GLOBALS['HTTP_COOKIE_VARS']['kp3']; if (! $kp3)