holm/egroupware
1
1
Fork 0
forked from extern/egroupware
Code Issues Pull Requests Packages Projects Releases Wiki Activity

More adjustments to ensure login works with register_globals Off, also tested

Browse Source 
on php3 and php4 with register_globals On.
This commit is contained in:
Miles Lott 2001-09-06 08:27:22 +00:00
parent 97d808fb74
commit 37213f0c30
2 changed files with 91 additions and 88 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
login.php
View File

@ -30,7 +30,7 @@
$tmpl->set_file(array( $tmpl->set_file(array(
'login_form' => 'login_denylogin.tpl' 'login_form' => 'login_denylogin.tpl'
)); ));
$tmpl->set_var('template_set','default'); $tmpl->set_var('template_set','default');
$tmpl->pfp('loginout','login_form'); $tmpl->pfp('loginout','login_form');
exit; exit;
} }
@ -115,29 +115,29 @@
# Apache + mod_ssl style SSL certificate authentication # Apache + mod_ssl style SSL certificate authentication
# Certificate (chain) verification occurs inside mod_ssl # Certificate (chain) verification occurs inside mod_ssl
if ($phpgw_info['server']['auth_type'] == 'sqlssl' && isset($HTTP_SERVER_VARS["SSL_CLIENT_S_DN"]) && !isset($cd)) if ($phpgw_info['server']['auth_type'] == 'sqlssl' && isset($HTTP_SERVER_VARS['SSL_CLIENT_S_DN']) && !isset($cd))
{ {
# an X.509 subject looks like: # an X.509 subject looks like:
# /CN=john.doe/OU=Department/O=Company/C=xx/Email=john@comapy.tld/L=City/ # /CN=john.doe/OU=Department/O=Company/C=xx/Email=john@comapy.tld/L=City/
# the username is deliberately lowercase, to ease LDAP integration # the username is deliberately lowercase, to ease LDAP integration
$sslattribs = explode("/",$HTTP_SERVER_VARS["SSL_CLIENT_S_DN"]); $sslattribs = explode('/',$HTTP_SERVER_VARS['SSL_CLIENT_S_DN']);
# skip the part in front of the first "/" (nothing) # skip the part in front of the first '/' (nothing)
while ($sslattrib = next($sslattribs)) while ($sslattrib = next($sslattribs))
{ {
list($key,$val) = explode("=",$sslattrib); list($key,$val) = explode('=',$sslattrib);
$sslattributes[$key] = $val; $sslattributes[$key] = $val;
} }
if (isset($sslattributes["Email"])) if (isset($sslattributes['Email']))
{ {
$submit = True; $submit = True;
# login will be set here if the user logged out and uses a different username with # login will be set here if the user logged out and uses a different username with
# the same SSL-certificate. # the same SSL-certificate.
if (!isset($login)&&isset($sslattributes["Email"])) { if (!isset($login)&&isset($sslattributes['Email'])) {
$login = $sslattributes["Email"]; $login = $sslattributes['Email'];
# not checked against the database, but delivered to authentication module # not checked against the database, but delivered to authentication module
$passwd = $HTTP_SERVER_VARS["SSL_CLIENT_S_DN"]; $passwd = $HTTP_SERVER_VARS['SSL_CLIENT_S_DN'];
} }
} }
unset($key); unset($key);
@ -147,15 +147,15 @@
if (isset($HTTP_POST_VARS['submit']) && $HTTP_POST_VARS['submit'] || $submit_x || $submit_y) if (isset($HTTP_POST_VARS['submit']) && $HTTP_POST_VARS['submit'] || $submit_x || $submit_y)
{ {
if (getenv(REQUEST_METHOD) != 'POST' && !isset($PHP_AUTH_USER) && !isset($HTTP_SERVER_VARS["SSL_CLIENT_S_DN"])) if (getenv(REQUEST_METHOD) != 'POST' && !isset($PHP_AUTH_USER) && !isset($HTTP_SERVER_VARS['SSL_CLIENT_S_DN']))
{ {
$phpgw->redirect($phpgw->link('/login.php','code=5')); $GLOBALS['phpgw']->redirect($GLOBALS['phpgw']->link('/login.php','code=5'));
} }
$GLOBALS['sessionid'] = $GLOBALS['phpgw']->session->create($GLOBALS['login'],$GLOBALS['HTTP_POST_VARS']['passwd']); $GLOBALS['sessionid'] = $GLOBALS['phpgw']->session->create($GLOBALS['login'],$GLOBALS['HTTP_POST_VARS']['passwd']);
if (! isset($GLOBALS['sessionid']) || ! $GLOBALS['sessionid']) if (! isset($GLOBALS['sessionid']) || ! $GLOBALS['sessionid'])
{ {
$phpgw->redirect($phpgw_info['server']['webserver_url'] . '/login.php?cd=5'); $GLOBALS['phpgw']->redirect($phpgw_info['server']['webserver_url'] . '/login.php?cd=5');
} }
else else
{ {
@ -184,15 +184,15 @@
if (! $prefs->account_id) if (! $prefs->account_id)
{ {
$phpgw_info['user']['preferences']['common']['lang'] = 'en'; $GLOBALS['phpgw_info']['user']['preferences']['common']['lang'] = 'en';
} }
else else
{ {
$phpgw_info['user']['preferences'] = $prefs->read_repository(); $GLOBALS['phpgw_info']['user']['preferences'] = $prefs->read_repository();
} }
#print 'LANG:' . $phpgw_info['user']['preferences']['common']['lang'] . '<br>'; #print 'LANG:' . $phpgw_info['user']['preferences']['common']['lang'] . '<br>';
$phpgw->translation->add_app('login'); $GLOBALS['phpgw']->translation->add_app('login');
$phpgw->translation->add_app('loginscreen'); $GLOBALS['phpgw']->translation->add_app('loginscreen');
if (lang('loginscreen_message') != 'loginscreen_message*') if (lang('loginscreen_message') != 'loginscreen_message*')
{ {
$tmpl->set_var('lang_message',stripslashes(lang('loginscreen_message'))); $tmpl->set_var('lang_message',stripslashes(lang('loginscreen_message')));
@ -202,9 +202,9 @@
{ {
// If the lastloginid cookies isn't set, we will default to english. // If the lastloginid cookies isn't set, we will default to english.
// Change this if you need. // Change this if you need.
$phpgw_info['user']['preferences']['common']['lang'] = 'en'; $GLOBALS['phpgw_info']['user']['preferences']['common']['lang'] = 'en';
$phpgw->translation->add_app('login'); $GLOBALS['phpgw']->translation->add_app('login');
$phpgw->translation->add_app('loginscreen'); $GLOBALS['phpgw']->translation->add_app('loginscreen');
if (lang('loginscreen_message') != 'loginscreen_message*') if (lang('loginscreen_message') != 'loginscreen_message*')
{ {
$tmpl->set_var('lang_message',stripslashes(lang('loginscreen_message'))); $tmpl->set_var('lang_message',stripslashes(lang('loginscreen_message')));
@ -217,7 +217,7 @@
$cd = ''; $cd = '';
} }
if ($phpgw_info['server']['show_domain_selectbox']) if ($GLOBALS['phpgw_info']['server']['show_domain_selectbox'])
{ {
reset($phpgw_domain); reset($phpgw_domain);
unset($domain_select); // For security ... just in case unset($domain_select); // For security ... just in case

139
phpgwapi/inc/functions.inc.php
View File

@ -1,41 +1,41 @@
<?php <?php
//$debugme = "on"; /* $debugme = 'on'; */
/**************************************************************************\ /**************************************************************************\
* phpGroupWare API - phpgwapi loader * * phpGroupWare API - phpgwapi loader *
* This file written by Dan Kuykendall <seek3r@phpgroupware.org> * * This file written by Dan Kuykendall <seek3r@phpgroupware.org> *
* and Joseph Engo <jengo@phpgroupware.org> * * and Joseph Engo <jengo@phpgroupware.org> *
* Has a few functions, but primary role is to load the phpgwapi * * Has a few functions, but primary role is to load the phpgwapi *
* Copyright (C) 2000, 2001 Dan Kuykendall * * Copyright (C) 2000, 2001 Dan Kuykendall *
* -------------------------------------------------------------------------* * -------------------------------------------------------------------------*
* This library is part of the phpGroupWare API * * This library is part of the phpGroupWare API *
* http://www.phpgroupware.org/api * * http://www.phpgroupware.org/api *
* ------------------------------------------------------------------------ * * ------------------------------------------------------------------------ *
* This library is free software; you can redistribute it and/or modify it * * This library is free software; you can redistribute it and/or modify it *
* under the terms of the GNU Lesser General Public License as published by * * under the terms of the GNU Lesser General Public License as published by *
* the Free Software Foundation; either version 2.1 of the License, * * the Free Software Foundation; either version 2.1 of the License, *
* or any later version. * * or any later version. *
* This library is distributed in the hope that it will be useful, but * * This library is distributed in the hope that it will be useful, but *
* WITHOUT ANY WARRANTY; without even the implied warranty of * * WITHOUT ANY WARRANTY; without even the implied warranty of *
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. * * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. *
* See the GNU Lesser General Public License for more details. * * See the GNU Lesser General Public License for more details. *
* You should have received a copy of the GNU Lesser General Public License * * You should have received a copy of the GNU Lesser General Public License *
* along with this library; if not, write to the Free Software Foundation, * * along with this library; if not, write to the Free Software Foundation, *
* Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA * * Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA *
\**************************************************************************/ \**************************************************************************/
/* $Id$ */ /* $Id$ */
/****************************************************************************\ /****************************************************************************\
* If running in PHP3, then load up the support functions file for * * If running in PHP3, then load up the support functions file for *
* transparent support. * * transparent support. *
\****************************************************************************/ \****************************************************************************/
if (floor(phpversion()) == 3) if (floor(phpversion()) == 3)
{ {
include(PHPGW_API_INC.'/php3_support_functions.inc.php'); include(PHPGW_API_INC.'/php3_support_functions.inc.php');
} }
/****************************************************************************\ /****************************************************************************\
* Direct functions, which are not part of the API class * * Direct functions, which are not part of the API class *
* because they are require to be availble at the lowest level. * * because they are require to be availble at the lowest level. *
\****************************************************************************/ \****************************************************************************/
@ -49,7 +49,7 @@
Example1: $phpgw->acl = CreateObject('phpgwapi.acl'); Example1: $phpgw->acl = CreateObject('phpgwapi.acl');
@param $classname name of class @param $classname name of class
@param $p1-$p16 class parameters (all optional) @param $p1-$p16 class parameters (all optional)
*/ */
function CreateObject($class, function CreateObject($class,
$p1='_UNDEF_',$p2='_UNDEF_',$p3='_UNDEF_',$p4='_UNDEF_', $p1='_UNDEF_',$p2='_UNDEF_',$p3='_UNDEF_',$p4='_UNDEF_',
$p5='_UNDEF_',$p6='_UNDEF_',$p7='_UNDEF_',$p8='_UNDEF_', $p5='_UNDEF_',$p6='_UNDEF_',$p7='_UNDEF_',$p8='_UNDEF_',
@ -100,7 +100,7 @@
return $obj; return $obj;
} }
/*! /*!
@function ExecObject @function ExecObject
@abstract Execute a function, and load a class and include the class file if not done so already. @abstract Execute a function, and load a class and include the class file if not done so already.
@discussion Author: seek3r<br> @discussion Author: seek3r<br>
@ -112,7 +112,7 @@
@param $functionparams function param should be an array @param $functionparams function param should be an array
@param $loglevel developers choice of logging level @param $loglevel developers choice of logging level
@param $classparams params to be sent to the contructor @param $classparams params to be sent to the contructor
*/ */
function ExecMethod($method, $functionparams = '_UNDEF_', $loglevel = 3, $classparams = '_UNDEF_') function ExecMethod($method, $functionparams = '_UNDEF_', $loglevel = 3, $classparams = '_UNDEF_')
{ {
/* Need to make sure this is working against a single dimensional object */ /* Need to make sure this is working against a single dimensional object */
@ -156,7 +156,7 @@
unset ($GLOBALS['methodparts'][$partscount]); unset ($GLOBALS['methodparts'][$partscount]);
reset ($GLOBALS['methodparts']); reset ($GLOBALS['methodparts']);
$firstparent = 'True'; $firstparent = 'True';
while (list ($key, $val) = each ($GLOBALS['methodparts'])) while (list ($key, $val) = each ($GLOBALS['methodparts']))
{ {
if ($firstparent == 'True') if ($firstparent == 'True')
{ {
@ -209,7 +209,7 @@
/*! /*!
@function lang @function lang
@abstract function to handle multilanguage support @abstract function to handle multilanguage support
*/ */
function lang($key,$m1='',$m2='',$m3='',$m4='',$m5='',$m6='',$m7='',$m8='',$m9='',$m10='') function lang($key,$m1='',$m2='',$m3='',$m4='',$m5='',$m6='',$m7='',$m8='',$m9='',$m10='')
{ {
if(gettype($m1) == 'array') if(gettype($m1) == 'array')
@ -224,13 +224,13 @@
return $value; return $value;
} }
/* Just a temp wrapper. ###DELETE_ME#### (Seek3r) */ /* Just a temp wrapper. ###DELETE_ME#### (Seek3r) */
function check_code($code) function check_code($code)
{ {
return $GLOBALS['phpgw']->common->check_code($code); return $GLOBALS['phpgw']->common->check_code($code);
} }
/*! /*!
@function get_account_id() @function get_account_id()
@abstract Return a properly formatted account_id. @abstract Return a properly formatted account_id.
@discussion Author: skeeter <br> @discussion Author: skeeter <br>
@ -241,7 +241,7 @@
Example1: $account_id = get_account_id($accountid); Example1: $account_id = get_account_id($accountid);
@param $account_id either a name or an id @param $account_id either a name or an id
@param $default_id either a name or an id @param $default_id either a name or an id
*/ */
function get_account_id($account_id = '',$default_id = '') function get_account_id($account_id = '',$default_id = '')
{ {
if (gettype($account_id) == 'integer') if (gettype($account_id) == 'integer')
@ -316,14 +316,14 @@
* Quick verification of sane environment * * Quick verification of sane environment *
\****************************************************************************/ \****************************************************************************/
// error_reporting(7); // error_reporting(7);
/* Make sure the header.inc.php is current. */ /* Make sure the header.inc.php is current. */
if ($GLOBALS['phpgw_info']['server']['versions']['header'] < $GLOBALS['phpgw_info']['server']['versions']['current_header']) if ($GLOBALS['phpgw_info']['server']['versions']['header'] < $GLOBALS['phpgw_info']['server']['versions']['current_header'])
{ {
echo '<center><b>You need to port your settings to the new header.inc.php version.</b></center>'; echo '<center><b>You need to port your settings to the new header.inc.php version.</b></center>';
exit; exit;
} }
/* Make sure the developer is following the rules. */ /* Make sure the developer is following the rules. */
if (!isset($GLOBALS['phpgw_info']['flags']['currentapp'])) if (!isset($GLOBALS['phpgw_info']['flags']['currentapp']))
{ {
/* This object does not exist yet. */ /* This object does not exist yet. */
@ -351,31 +351,34 @@
$GLOBALS['phpgw_info']['server']['default_domain'] = $default_domain[0]; $GLOBALS['phpgw_info']['server']['default_domain'] = $default_domain[0];
unset ($default_domain); // we kill this for security reasons unset ($default_domain); // we kill this for security reasons
$GLOBALS['login'] = $GLOBALS['HTTP_POST_VARS']['login'];
$GLOBALS['logindomain'] = $GLOBALS['HTTP_POST_VARS']['logindomain'];
/* This code will handle virtdomains so that is a user logins with user@domain.com, it will switch into virtualization mode. */ /* This code will handle virtdomains so that is a user logins with user@domain.com, it will switch into virtualization mode. */
if (isset($domain)) if (isset($domain))
{ {
$GLOBALS['phpgw_info']['user']['domain'] = $domain; $GLOBALS['phpgw_info']['user']['domain'] = $domain;
} }
elseif (isset($login) && isset($logindomain)) elseif (isset($GLOBALS['login']) && isset($GLOBALS['logindomain']))
{ {
if (!ereg ("\@", $login)) if (!ereg ("\@", $GLOBALS['login']))
{ {
$login = $login."@".$logindomain; $GLOBALS['login'] = $GLOBALS['login'] . '@' . $GLOBALS['logindomain'];
} }
$GLOBALS['phpgw_info']['user']['domain'] = $logindomain; $GLOBALS['phpgw_info']['user']['domain'] = $GLOBALS['logindomain'];
unset ($logindomain); unset ($GLOBALS['logindomain']);
} }
elseif (isset($login) && !isset($logindomain)) elseif (isset($GLOBALS['login']) && !isset($GLOBALS['logindomain']))
{ {
if (ereg ("\@", $login)) if (ereg ("\@", $GLOBALS['login']))
{ {
$login_array = explode("@", $login); $login_array = explode('@', $GLOBALS['login']);
$GLOBALS['phpgw_info']['user']['domain'] = $login_array[1]; $GLOBALS['phpgw_info']['user']['domain'] = $login_array[1];
} }
else else
{ {
$GLOBALS['phpgw_info']['user']['domain'] = $GLOBALS['phpgw_info']['server']['default_domain']; $GLOBALS['phpgw_info']['user']['domain'] = $GLOBALS['phpgw_info']['server']['default_domain'];
$login = $login . '@' . $GLOBALS['phpgw_info']['user']['domain']; $GLOBALS['login'] = $GLOBALS['login'] . '@' . $GLOBALS['phpgw_info']['user']['domain'];
} }
} }
@ -398,7 +401,7 @@
if ($GLOBALS['phpgw_info']['flags']['currentapp'] != 'login' && ! $GLOBALS['phpgw_info']['server']['show_domain_selectbox']) if ($GLOBALS['phpgw_info']['flags']['currentapp'] != 'login' && ! $GLOBALS['phpgw_info']['server']['show_domain_selectbox'])
{ {
unset ($GLOBALS['phpgw_domain']); // we kill this for security reasons unset ($GLOBALS['phpgw_domain']); // we kill this for security reasons
} }
unset ($domain); // we kill this to save memory unset ($domain); // we kill this to save memory
@ -479,9 +482,9 @@
} }
unset($cache_query); unset($cache_query);
unset($server_info_cache); unset($server_info_cache);
/************************************************************************\ /************************************************************************\
* Required classes * * Required classes *
\************************************************************************/ \************************************************************************/
$GLOBALS['phpgw']->log = CreateObject('phpgwapi.errorlog'); $GLOBALS['phpgw']->log = CreateObject('phpgwapi.errorlog');
$GLOBALS['phpgw']->common = CreateObject('phpgwapi.common'); $GLOBALS['phpgw']->common = CreateObject('phpgwapi.common');
$GLOBALS['phpgw']->hooks = CreateObject('phpgwapi.hooks'); $GLOBALS['phpgw']->hooks = CreateObject('phpgwapi.hooks');
@ -501,10 +504,10 @@
$GLOBALS['phpgw_info']['flags']['included_classes']['error'] = True; $GLOBALS['phpgw_info']['flags']['included_classes']['error'] = True;
} }
/****************************************************************************\ /****************************************************************************\
* This is a global constant that should be used * * This is a global constant that should be used *
* instead of / or \ in file paths * * instead of / or \ in file paths *
\****************************************************************************/ \****************************************************************************/
define('SEP',filesystem_separator()); define('SEP',filesystem_separator());
/*****************************************************************************\ /*****************************************************************************\
@ -516,9 +519,9 @@
define('PHPGW_ACL_DELETE',8); define('PHPGW_ACL_DELETE',8);
define('PHPGW_ACL_PRIVATE',16); define('PHPGW_ACL_PRIVATE',16);
/****************************************************************************\ /****************************************************************************\
* Stuff to use if logging in or logging out * * Stuff to use if logging in or logging out *
\****************************************************************************/ \****************************************************************************/
if ($GLOBALS['phpgw_info']['flags']['currentapp'] == 'login' || $GLOBALS['phpgw_info']['flags']['currentapp'] == 'logout') if ($GLOBALS['phpgw_info']['flags']['currentapp'] == 'login' || $GLOBALS['phpgw_info']['flags']['currentapp'] == 'logout')
{ {
if ($GLOBALS['phpgw_info']['flags']['currentapp'] == 'login') if ($GLOBALS['phpgw_info']['flags']['currentapp'] == 'login')
@ -531,10 +534,10 @@
$GLOBALS['phpgw']->preferences->preferences($login_id); $GLOBALS['phpgw']->preferences->preferences($login_id);
} }
} }
/****************************************************************************\ /**************************************************************************\
* Everything from this point on will ONLY happen if * * Everything from this point on will ONLY happen if *
* the currentapp is not login or logout * * the currentapp is not login or logout *
\****************************************************************************/ \**************************************************************************/
} }
else else
{ {
@ -629,7 +632,7 @@
/* Hope we don't get to this point. Better then the user seeing a */ /* Hope we don't get to this point. Better then the user seeing a */
/* complety back screen and not know whats going on */ /* complety back screen and not know whats going on */
echo '<body bgcolor="FFFFFF">'; echo '<body bgcolor="FFFFFF">';
$phpgw->log->write(array('text'=>'F-Abort, No themes found')); $GLOBALS['phpgw']->log->write(array('text'=>'F-Abort, No themes found'));
exit; exit;
} }
@ -664,7 +667,7 @@
echo parse_navbar(); echo parse_navbar();
} }
$phpgw->log->write(array('text'=>'W-Permissions, Attempted to access %1','p1'=>$GLOBALS['phpgw_info']['flags']['currentapp'])); $GLOBALS['phpgw']->log->write(array('text'=>'W-Permissions, Attempted to access %1','p1'=>$GLOBALS['phpgw_info']['flags']['currentapp']));
echo '<p><center><b>'.lang('Access not permitted').'</b></center>'; echo '<p><center><b>'.lang('Access not permitted').'</b></center>';
$GLOBALS['phpgw']->common->phpgw_exit(True); $GLOBALS['phpgw']->common->phpgw_exit(True);