More adjustments to ensure login works with register_globals Off, also tested

on php3 and php4 with register_globals On.
2001-09-06 08:27:22 +00:00 · 2001-09-06 08:27:22 +00:00 · 37213f0c30
commit 37213f0c30
parent 97d808fb74
2 changed files with 91 additions and 88 deletions
--- a/login.php
+++ b/login.php
@ -115,29 +115,29 @@

 	# Apache + mod_ssl style SSL certificate authentication
 	# Certificate (chain) verification occurs inside mod_ssl
-	if ($phpgw_info['server']['auth_type'] == 'sqlssl' && isset($HTTP_SERVER_VARS["SSL_CLIENT_S_DN"]) && !isset($cd))
+	if ($phpgw_info['server']['auth_type'] == 'sqlssl' && isset($HTTP_SERVER_VARS['SSL_CLIENT_S_DN']) && !isset($cd))
 	{
 		# an X.509 subject looks like:
 		# /CN=john.doe/OU=Department/O=Company/C=xx/Email=john@comapy.tld/L=City/
 		# the username is deliberately lowercase, to ease LDAP integration
-		$sslattribs = explode("/",$HTTP_SERVER_VARS["SSL_CLIENT_S_DN"]);
-		# skip the part in front of the first "/" (nothing)
+		$sslattribs = explode('/',$HTTP_SERVER_VARS['SSL_CLIENT_S_DN']);
+		# skip the part in front of the first '/' (nothing)
 		while ($sslattrib = next($sslattribs))
 		{
-			list($key,$val) = explode("=",$sslattrib);
+			list($key,$val) = explode('=',$sslattrib);
 			$sslattributes[$key] = $val;
 		}

-		if (isset($sslattributes["Email"]))
+		if (isset($sslattributes['Email']))
 		{
 			$submit = True;

 			# login will be set here if the user logged out and uses a different username with
 			# the same SSL-certificate.
-			if (!isset($login)&&isset($sslattributes["Email"])) {
-				$login = $sslattributes["Email"];
+			if (!isset($login)&&isset($sslattributes['Email'])) {
+				$login = $sslattributes['Email'];
 				# not checked against the database, but delivered to authentication module
-				$passwd = $HTTP_SERVER_VARS["SSL_CLIENT_S_DN"];
+				$passwd = $HTTP_SERVER_VARS['SSL_CLIENT_S_DN'];
 			}
 		}
 		unset($key);
@ -147,15 +147,15 @@

 	if (isset($HTTP_POST_VARS['submit']) && $HTTP_POST_VARS['submit'] || $submit_x || $submit_y)
 	{
-		if (getenv(REQUEST_METHOD) != 'POST' && !isset($PHP_AUTH_USER) && !isset($HTTP_SERVER_VARS["SSL_CLIENT_S_DN"]))
+		if (getenv(REQUEST_METHOD) != 'POST' && !isset($PHP_AUTH_USER) && !isset($HTTP_SERVER_VARS['SSL_CLIENT_S_DN']))
 		{
-			$phpgw->redirect($phpgw->link('/login.php','code=5'));
+			$GLOBALS['phpgw']->redirect($GLOBALS['phpgw']->link('/login.php','code=5'));
 		}
 		$GLOBALS['sessionid'] = $GLOBALS['phpgw']->session->create($GLOBALS['login'],$GLOBALS['HTTP_POST_VARS']['passwd']);

 		if (! isset($GLOBALS['sessionid']) || ! $GLOBALS['sessionid'])
 		{
-			$phpgw->redirect($phpgw_info['server']['webserver_url'] . '/login.php?cd=5');
+			$GLOBALS['phpgw']->redirect($phpgw_info['server']['webserver_url'] . '/login.php?cd=5');
 		}
 		else
 		{
@ -184,15 +184,15 @@

 			if (! $prefs->account_id)
 			{
-				$phpgw_info['user']['preferences']['common']['lang'] = 'en';
+				$GLOBALS['phpgw_info']['user']['preferences']['common']['lang'] = 'en';
 			}
 			else
 			{
-				$phpgw_info['user']['preferences'] = $prefs->read_repository();
+				$GLOBALS['phpgw_info']['user']['preferences'] = $prefs->read_repository();
 			}
 			#print 'LANG:' . $phpgw_info['user']['preferences']['common']['lang'] . '<br>';
-			$phpgw->translation->add_app('login');
-			$phpgw->translation->add_app('loginscreen');
+			$GLOBALS['phpgw']->translation->add_app('login');
+			$GLOBALS['phpgw']->translation->add_app('loginscreen');
 			if (lang('loginscreen_message') != 'loginscreen_message*')
 			{
 				$tmpl->set_var('lang_message',stripslashes(lang('loginscreen_message')));
@ -202,9 +202,9 @@
 		{
 			// If the lastloginid cookies isn't set, we will default to english.
 			// Change this if you need.
-			$phpgw_info['user']['preferences']['common']['lang'] = 'en';
-			$phpgw->translation->add_app('login');
-			$phpgw->translation->add_app('loginscreen');
+			$GLOBALS['phpgw_info']['user']['preferences']['common']['lang'] = 'en';
+			$GLOBALS['phpgw']->translation->add_app('login');
+			$GLOBALS['phpgw']->translation->add_app('loginscreen');
 			if (lang('loginscreen_message') != 'loginscreen_message*')
 			{
 				$tmpl->set_var('lang_message',stripslashes(lang('loginscreen_message')));
@ -217,7 +217,7 @@
 		$cd = '';
 	}

-	if ($phpgw_info['server']['show_domain_selectbox'])
+	if ($GLOBALS['phpgw_info']['server']['show_domain_selectbox'])
 	{
 		reset($phpgw_domain);
 		unset($domain_select);      // For security ... just in case
--- a/phpgwapi/inc/functions.inc.php
+++ b/phpgwapi/inc/functions.inc.php
@ -1,5 +1,5 @@
 <?php
-	//$debugme = "on";
+	/* $debugme = 'on'; */
 	/**************************************************************************\
 	* phpGroupWare API - phpgwapi loader                                       *
 	* This file written by Dan Kuykendall <seek3r@phpgroupware.org>            *
@ -351,31 +351,34 @@
 	$GLOBALS['phpgw_info']['server']['default_domain'] = $default_domain[0];
 	unset ($default_domain); // we kill this for security reasons

+	$GLOBALS['login'] = $GLOBALS['HTTP_POST_VARS']['login'];
+	$GLOBALS['logindomain'] = $GLOBALS['HTTP_POST_VARS']['logindomain'];
+
 	/* This code will handle virtdomains so that is a user logins with user@domain.com, it will switch into virtualization mode. */
 	if (isset($domain))
 	{
 		$GLOBALS['phpgw_info']['user']['domain'] = $domain;
 	}
-	elseif (isset($login) && isset($logindomain))
+	elseif (isset($GLOBALS['login']) && isset($GLOBALS['logindomain']))
 	{
-		if (!ereg ("\@", $login))
+		if (!ereg ("\@", $GLOBALS['login']))
 		{
-			$login = $login."@".$logindomain;
+			$GLOBALS['login'] = $GLOBALS['login'] . '@' . $GLOBALS['logindomain'];
 		}
-		$GLOBALS['phpgw_info']['user']['domain'] = $logindomain;
-		unset ($logindomain);
+		$GLOBALS['phpgw_info']['user']['domain'] = $GLOBALS['logindomain'];
+		unset ($GLOBALS['logindomain']);
 	}
-	elseif (isset($login) && !isset($logindomain))
+	elseif (isset($GLOBALS['login']) && !isset($GLOBALS['logindomain']))
 	{
-		if (ereg ("\@", $login))
+		if (ereg ("\@", $GLOBALS['login']))
 		{
-			$login_array = explode("@", $login);
+			$login_array = explode('@', $GLOBALS['login']);
 			$GLOBALS['phpgw_info']['user']['domain'] = $login_array[1];
 		}
 		else
 		{
 			$GLOBALS['phpgw_info']['user']['domain'] = $GLOBALS['phpgw_info']['server']['default_domain'];
-			$login = $login . '@' . $GLOBALS['phpgw_info']['user']['domain'];
+			$GLOBALS['login'] = $GLOBALS['login'] . '@' . $GLOBALS['phpgw_info']['user']['domain'];
 		}
 	}

@ -531,10 +534,10 @@
 				$GLOBALS['phpgw']->preferences->preferences($login_id);
 			}
 		}
-	/****************************************************************************\
+	/**************************************************************************\
 	* Everything from this point on will ONLY happen if                        *
 	* the currentapp is not login or logout                                    *
-	\****************************************************************************/
+	\**************************************************************************/
 	}
 	else
 	{
@ -629,7 +632,7 @@
 			/* Hope we don't get to this point.  Better then the user seeing a */
 			/* complety back screen and not know whats going on                */
 			echo '<body bgcolor="FFFFFF">';
-			$phpgw->log->write(array('text'=>'F-Abort, No themes found'));
+			$GLOBALS['phpgw']->log->write(array('text'=>'F-Abort, No themes found'));

 			exit;
 		}
@ -664,7 +667,7 @@
 					echo parse_navbar();
 				}

-				$phpgw->log->write(array('text'=>'W-Permissions, Attempted to access %1','p1'=>$GLOBALS['phpgw_info']['flags']['currentapp']));
+				$GLOBALS['phpgw']->log->write(array('text'=>'W-Permissions, Attempted to access %1','p1'=>$GLOBALS['phpgw_info']['flags']['currentapp']));

 				echo '<p><center><b>'.lang('Access not permitted').'</b></center>';
 				$GLOBALS['phpgw']->common->phpgw_exit(True);