holm/egroupware
1
1
Fork 0
forked from extern/egroupware
Code Issues Pull Requests Packages Projects Releases Wiki Activity

More adjustments to ensure login works with register_globals Off, also tested

Browse Source 
on php3 and php4 with register_globals On.
This commit is contained in:
Miles Lott 2001-09-06 08:27:22 +00:00
parent 97d808fb74
commit 37213f0c30
2 changed files with 91 additions and 88 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
login.php
View File

@ -115,29 +115,29 @@
# Apache + mod_ssl style SSL certificate authentication # Apache + mod_ssl style SSL certificate authentication
# Certificate (chain) verification occurs inside mod_ssl # Certificate (chain) verification occurs inside mod_ssl
if ($phpgw_info['server']['auth_type'] == 'sqlssl' && isset($HTTP_SERVER_VARS["SSL_CLIENT_S_DN"]) && !isset($cd)) if ($phpgw_info['server']['auth_type'] == 'sqlssl' && isset($HTTP_SERVER_VARS['SSL_CLIENT_S_DN']) && !isset($cd))
{ {
# an X.509 subject looks like: # an X.509 subject looks like:
# /CN=john.doe/OU=Department/O=Company/C=xx/Email=john@comapy.tld/L=City/ # /CN=john.doe/OU=Department/O=Company/C=xx/Email=john@comapy.tld/L=City/
# the username is deliberately lowercase, to ease LDAP integration # the username is deliberately lowercase, to ease LDAP integration
$sslattribs = explode("/",$HTTP_SERVER_VARS["SSL_CLIENT_S_DN"]); $sslattribs = explode('/',$HTTP_SERVER_VARS['SSL_CLIENT_S_DN']);
# skip the part in front of the first "/" (nothing) # skip the part in front of the first '/' (nothing)
while ($sslattrib = next($sslattribs)) while ($sslattrib = next($sslattribs))
{ {
list($key,$val) = explode("=",$sslattrib); list($key,$val) = explode('=',$sslattrib);
$sslattributes[$key] = $val; $sslattributes[$key] = $val;
} }
if (isset($sslattributes["Email"])) if (isset($sslattributes['Email']))
{ {
$submit = True; $submit = True;
# login will be set here if the user logged out and uses a different username with # login will be set here if the user logged out and uses a different username with
# the same SSL-certificate. # the same SSL-certificate.
if (!isset($login)&&isset($sslattributes["Email"])) { if (!isset($login)&&isset($sslattributes['Email'])) {
$login = $sslattributes["Email"]; $login = $sslattributes['Email'];
# not checked against the database, but delivered to authentication module # not checked against the database, but delivered to authentication module
$passwd = $HTTP_SERVER_VARS["SSL_CLIENT_S_DN"]; $passwd = $HTTP_SERVER_VARS['SSL_CLIENT_S_DN'];
} }
} }
unset($key); unset($key);
@ -147,15 +147,15 @@
if (isset($HTTP_POST_VARS['submit']) && $HTTP_POST_VARS['submit'] || $submit_x || $submit_y) if (isset($HTTP_POST_VARS['submit']) && $HTTP_POST_VARS['submit'] || $submit_x || $submit_y)
{ {
if (getenv(REQUEST_METHOD) != 'POST' && !isset($PHP_AUTH_USER) && !isset($HTTP_SERVER_VARS["SSL_CLIENT_S_DN"])) if (getenv(REQUEST_METHOD) != 'POST' && !isset($PHP_AUTH_USER) && !isset($HTTP_SERVER_VARS['SSL_CLIENT_S_DN']))
{ {
$phpgw->redirect($phpgw->link('/login.php','code=5')); $GLOBALS['phpgw']->redirect($GLOBALS['phpgw']->link('/login.php','code=5'));
} }
$GLOBALS['sessionid'] = $GLOBALS['phpgw']->session->create($GLOBALS['login'],$GLOBALS['HTTP_POST_VARS']['passwd']); $GLOBALS['sessionid'] = $GLOBALS['phpgw']->session->create($GLOBALS['login'],$GLOBALS['HTTP_POST_VARS']['passwd']);
if (! isset($GLOBALS['sessionid']) || ! $GLOBALS['sessionid']) if (! isset($GLOBALS['sessionid']) || ! $GLOBALS['sessionid'])
{ {
$phpgw->redirect($phpgw_info['server']['webserver_url'] . '/login.php?cd=5'); $GLOBALS['phpgw']->redirect($phpgw_info['server']['webserver_url'] . '/login.php?cd=5');
} }
else else
{ {
@ -184,15 +184,15 @@
if (! $prefs->account_id) if (! $prefs->account_id)
{ {
$phpgw_info['user']['preferences']['common']['lang'] = 'en'; $GLOBALS['phpgw_info']['user']['preferences']['common']['lang'] = 'en';
} }
else else
{ {
$phpgw_info['user']['preferences'] = $prefs->read_repository(); $GLOBALS['phpgw_info']['user']['preferences'] = $prefs->read_repository();
} }
#print 'LANG:' . $phpgw_info['user']['preferences']['common']['lang'] . '<br>'; #print 'LANG:' . $phpgw_info['user']['preferences']['common']['lang'] . '<br>';
$phpgw->translation->add_app('login'); $GLOBALS['phpgw']->translation->add_app('login');
$phpgw->translation->add_app('loginscreen'); $GLOBALS['phpgw']->translation->add_app('loginscreen');
if (lang('loginscreen_message') != 'loginscreen_message*') if (lang('loginscreen_message') != 'loginscreen_message*')
{ {
$tmpl->set_var('lang_message',stripslashes(lang('loginscreen_message'))); $tmpl->set_var('lang_message',stripslashes(lang('loginscreen_message')));
@ -202,9 +202,9 @@
{ {
// If the lastloginid cookies isn't set, we will default to english. // If the lastloginid cookies isn't set, we will default to english.
// Change this if you need. // Change this if you need.
$phpgw_info['user']['preferences']['common']['lang'] = 'en'; $GLOBALS['phpgw_info']['user']['preferences']['common']['lang'] = 'en';
$phpgw->translation->add_app('login'); $GLOBALS['phpgw']->translation->add_app('login');
$phpgw->translation->add_app('loginscreen'); $GLOBALS['phpgw']->translation->add_app('loginscreen');
if (lang('loginscreen_message') != 'loginscreen_message*') if (lang('loginscreen_message') != 'loginscreen_message*')
{ {
$tmpl->set_var('lang_message',stripslashes(lang('loginscreen_message'))); $tmpl->set_var('lang_message',stripslashes(lang('loginscreen_message')));
@ -217,7 +217,7 @@
$cd = ''; $cd = '';
} }
if ($phpgw_info['server']['show_domain_selectbox']) if ($GLOBALS['phpgw_info']['server']['show_domain_selectbox'])
{ {
reset($phpgw_domain); reset($phpgw_domain);
unset($domain_select); // For security ... just in case unset($domain_select); // For security ... just in case

31
phpgwapi/inc/functions.inc.php
View File

@ -1,5 +1,5 @@
<?php <?php
//$debugme = "on"; /* $debugme = 'on'; */
/**************************************************************************\ /**************************************************************************\
* phpGroupWare API - phpgwapi loader * * phpGroupWare API - phpgwapi loader *
* This file written by Dan Kuykendall <seek3r@phpgroupware.org> * * This file written by Dan Kuykendall <seek3r@phpgroupware.org> *
@ -351,31 +351,34 @@
$GLOBALS['phpgw_info']['server']['default_domain'] = $default_domain[0]; $GLOBALS['phpgw_info']['server']['default_domain'] = $default_domain[0];
unset ($default_domain); // we kill this for security reasons unset ($default_domain); // we kill this for security reasons
$GLOBALS['login'] = $GLOBALS['HTTP_POST_VARS']['login'];
$GLOBALS['logindomain'] = $GLOBALS['HTTP_POST_VARS']['logindomain'];
/* This code will handle virtdomains so that is a user logins with user@domain.com, it will switch into virtualization mode. */ /* This code will handle virtdomains so that is a user logins with user@domain.com, it will switch into virtualization mode. */
if (isset($domain)) if (isset($domain))
{ {
$GLOBALS['phpgw_info']['user']['domain'] = $domain; $GLOBALS['phpgw_info']['user']['domain'] = $domain;
} }
elseif (isset($login) && isset($logindomain)) elseif (isset($GLOBALS['login']) && isset($GLOBALS['logindomain']))
{ {
if (!ereg ("\@", $login)) if (!ereg ("\@", $GLOBALS['login']))
{ {
$login = $login."@".$logindomain; $GLOBALS['login'] = $GLOBALS['login'] . '@' . $GLOBALS['logindomain'];
} }
$GLOBALS['phpgw_info']['user']['domain'] = $logindomain; $GLOBALS['phpgw_info']['user']['domain'] = $GLOBALS['logindomain'];
unset ($logindomain); unset ($GLOBALS['logindomain']);
} }
elseif (isset($login) && !isset($logindomain)) elseif (isset($GLOBALS['login']) && !isset($GLOBALS['logindomain']))
{ {
if (ereg ("\@", $login)) if (ereg ("\@", $GLOBALS['login']))
{ {
$login_array = explode("@", $login); $login_array = explode('@', $GLOBALS['login']);
$GLOBALS['phpgw_info']['user']['domain'] = $login_array[1]; $GLOBALS['phpgw_info']['user']['domain'] = $login_array[1];
} }
else else
{ {
$GLOBALS['phpgw_info']['user']['domain'] = $GLOBALS['phpgw_info']['server']['default_domain']; $GLOBALS['phpgw_info']['user']['domain'] = $GLOBALS['phpgw_info']['server']['default_domain'];
$login = $login . '@' . $GLOBALS['phpgw_info']['user']['domain']; $GLOBALS['login'] = $GLOBALS['login'] . '@' . $GLOBALS['phpgw_info']['user']['domain'];
} }
} }
@ -531,10 +534,10 @@
$GLOBALS['phpgw']->preferences->preferences($login_id); $GLOBALS['phpgw']->preferences->preferences($login_id);
} }
} }
/****************************************************************************\ /**************************************************************************\
* Everything from this point on will ONLY happen if * * Everything from this point on will ONLY happen if *
* the currentapp is not login or logout * * the currentapp is not login or logout *
\****************************************************************************/ \**************************************************************************/
} }
else else
{ {
@ -629,7 +632,7 @@
/* Hope we don't get to this point. Better then the user seeing a */ /* Hope we don't get to this point. Better then the user seeing a */
/* complety back screen and not know whats going on */ /* complety back screen and not know whats going on */
echo '<body bgcolor="FFFFFF">'; echo '<body bgcolor="FFFFFF">';
$phpgw->log->write(array('text'=>'F-Abort, No themes found')); $GLOBALS['phpgw']->log->write(array('text'=>'F-Abort, No themes found'));
exit; exit;
} }
@ -664,7 +667,7 @@
echo parse_navbar(); echo parse_navbar();
} }
$phpgw->log->write(array('text'=>'W-Permissions, Attempted to access %1','p1'=>$GLOBALS['phpgw_info']['flags']['currentapp'])); $GLOBALS['phpgw']->log->write(array('text'=>'W-Permissions, Attempted to access %1','p1'=>$GLOBALS['phpgw_info']['flags']['currentapp']));
echo '<p><center><b>'.lang('Access not permitted').'</b></center>'; echo '<p><center><b>'.lang('Access not permitted').'</b></center>';
$GLOBALS['phpgw']->common->phpgw_exit(True); $GLOBALS['phpgw']->common->phpgw_exit(True);