From 3f50472828e9520e3647a5d60a017e69771b466f Mon Sep 17 00:00:00 2001 From: Ralf Becker Date: Thu, 4 Dec 2014 11:25:56 +0000 Subject: [PATCH] added password check to shares --- phpgwapi/inc/class.egw_digest_auth.inc.php | 37 ++++++++++++++++------ phpgwapi/inc/class.egw_sharing.inc.php | 15 +++++++-- 2 files changed, 40 insertions(+), 12 deletions(-) diff --git a/phpgwapi/inc/class.egw_digest_auth.inc.php b/phpgwapi/inc/class.egw_digest_auth.inc.php index 6ff8b20eb0..6289d5f059 100644 --- a/phpgwapi/inc/class.egw_digest_auth.inc.php +++ b/phpgwapi/inc/class.egw_digest_auth.inc.php @@ -99,16 +99,7 @@ class egw_digest_auth (preg_match('/[^\x20-\x7F]/', $password) || strpos($password, '\\x') !== false) && !$GLOBALS['egw']->auth->authenticate($username, $password, 'text')) { - // replace \x encoded non-ascii chars in password, as they are used eg. by Thunderbird for German umlauts - if (strpos($password, '\\x') !== false) - { - $password = preg_replace_callback('/\\\\x([0-9A-F]{2})/i', function($matches){ - return chr(hexdec($matches[1])); - }, $password); - } - // try translating the password from iso-8859-1 to utf-8 - $password = translation::convert($password, 'iso-8859-1'); - //error_log(__METHOD__."() Fixed non-ascii password of user '$username' from '$_SERVER[PHP_AUTH_PW]' to '$password'"); + self::decode_password($password); } // create session without session cookie (session->create(..., true), as we use pseudo sessionid from credentials if (!isset($username) || !($sessionid = $GLOBALS['egw']->session->create($username, $password, 'text', true))) @@ -126,6 +117,32 @@ class egw_digest_auth return $sessionid; } + /** + * Decode password containing non-ascii chars + * + * @param string &$password + * @return boolean true if conversation happend, false if there was no need for a conversation + */ + public static function decode_password(&$password) + { + // if given password contains non-ascii chars AND we can not authenticate with it + if (preg_match('/[^\x20-\x7F]/', $password) || strpos($password, '\\x') !== false) + { + // replace \x encoded non-ascii chars in password, as they are used eg. by Thunderbird for German umlauts + if (strpos($password, '\\x') !== false) + { + $password = preg_replace_callback('/\\\\x([0-9A-F]{2})/i', function($matches){ + return chr(hexdec($matches[1])); + }, $password); + } + // try translating the password from iso-8859-1 to utf-8 + $password = translation::convert($password, 'iso-8859-1'); + //error_log(__METHOD__."() Fixed non-ascii password of user '$username' from '$_SERVER[PHP_AUTH_PW]' to '$password'"); + return true; + } + return false; + } + /** * Check if digest auth is available for a given realm (and user): do we use cleartext passwords * diff --git a/phpgwapi/inc/class.egw_sharing.inc.php b/phpgwapi/inc/class.egw_sharing.inc.php index 7a4d461430..357dd2e9b4 100644 --- a/phpgwapi/inc/class.egw_sharing.inc.php +++ b/phpgwapi/inc/class.egw_sharing.inc.php @@ -16,7 +16,6 @@ * Token generation uses openssl_random_pseudo_bytes, if available, otherwise * mt_rand based auth::randomstring is used. * - * @todo UI to create shares * @todo handle existing user sessions eg. by mounting share under it's token into vfs and redirect to regular filemanager * @todo handle mounts inside shared directory (they get currently lost) * @todo handle absolute symlinks (wont work as we use share as root) @@ -138,7 +137,19 @@ class egw_sharing echo "Requested resource '/".htmlspecialchars($token)."' does NOT exist!\n"; common::egw_exit(); } - // ToDo: password check, if required + + // check password, if required + if ($share['share_passwd'] && (empty($_SERVER['PHP_AUTH_PW']) || + !auth::compare_password($_SERVER['PHP_AUTH_PW'], $share['share_passwd'], 'crypt'))) + { + $realm = 'EGroupware share '.$share['share_token']; + header('WWW-Authenticate: Basic realm="'.$realm.'"'); + $status = '401 Unauthorized'; + header("HTTP/1.1 $status"); + header("X-WebDAV-Status: $status", true); + echo "\n\n401 Unauthorized\n\nAuthorization failed.\n\n\n"; + common::egw_exit(); + } // create session without checking auth: create(..., false, false) if (!($sessionid = $GLOBALS['egw']->session->create('anonymous', '', 'text', false, false)))