diff --git a/e107_handlers/session_handler.php b/e107_handlers/session_handler.php
index 778cb777b..6f58e12b9 100644
--- a/e107_handlers/session_handler.php
+++ b/e107_handlers/session_handler.php
@@ -729,9 +729,14 @@ class e_session
*/
public function getFormToken($in_form = true)
{
- if(!$this->has('__form_token'))
+ if(!$this->has('__form_token') && !defined('e_TOKEN_DISABLE')) // TODO FIXME: SEF URL of Error page causes e-token refresh.
{
$this->set('__form_token', uniqid(md5(rand()), true));
+ if(deftrue('e_DEBUG_SESSION')) // XXX enable to troubleshoot "Unauthorized Access!" issues.
+ {
+ $message = date('r')."\t\t".e_REQUEST_URI."\n";
+ file_put_contents(__DIR__.'/session.log', $message, FILE_APPEND);
+ }
}
return ($in_form ? md5($this->get('__form_token')) : $this->get('__form_token'));
}
@@ -869,7 +874,52 @@ class e_core_session extends e_session
$this->end();
}
+ private function log($status, $type=E_LOG_FATAL)
+ {
+ // $details = "USER: ".USERNAME."\n";
+ $details = "HOST: ".$_SERVER['HTTP_HOST']."\n";
+ $details .= "REQUEST_URI: ".$_SERVER['REQUEST_URI']."\n";
+ $details .= ($_POST['e-token']) ? "e-token (POST): ".$_POST['e-token']."\n" : "";
+ $details .= ($_GET['e-token']) ? "e-token (GET): ".$_GET['e-token']."\n" : "";
+ $details .= ($_POST['e_token']) ? "AJAX e_token (POST): ".$_POST['e_token']."\n" : "";
+/*
+ $utoken = $this->getFormToken(false);
+ $details .= "raw token: ".$utoken."\n";
+ $details .= "checkFormToken (e-token should match this): ".md5($utoken)."\n";
+ $details .= "md5(e-token): ".md5($_POST['e-token'])."\n";*/
+/*
+ $regenerate = $this->get('__form_token_regenerate');
+ $details .= "Regenerate after: ".date('r', $regenerate)." (".$regenerate.")\n";
+*/
+
+ $details .= "has __form_token: ";
+ $details .= empty($this->has('__form_token')) ? 'false' : 'true';
+ $details .= "\n";
+
+ $details .= "_SESSION:\n";
+ $details .= print_r($_SESSION,true);
+
+ /* if($pref['plug_installed'])
+ {
+ $details .= "\nPlugins:\n";
+ $details .= print_r($pref['plug_installed'],true);
+ }*/
+
+ $details .= $status."\n\n---------------------------------\n\n";
+
+ $log = e107::getAdminLog();
+ $log->addDebug($details);
+
+ if(deftrue('e_DEBUG'))
+ {
+ $log->toFile('Unauthorized_access','Unauthorized access Log', true);
+ }
+
+ $log->add($status, $details, $type);
+
+
+ }
/**
* Core CSF protection, see class2.php
* Could be adopted by plugins for their own (different) protection logic
@@ -886,40 +936,12 @@ class e_core_session extends e_session
if($this->getSessionId())
{
+
if((isset($_POST['e-token']) && !$this->checkFormToken($_POST['e-token']))
|| (isset($_GET['e-token']) && !$this->checkFormToken($_GET['e-token']))
|| (isset($_POST['e_token']) && !$this->checkFormToken($_POST['e_token']))) // '-' is not allowed in jquery. b
{
- // if(defsettrue('e_DEBUG'))
- {
- $details = "USER: ".USERNAME."\n";
- $details = "HOST: ".$_SERVER['HTTP_HOST']."\n";
- $details .= "REQUEST_URI: ".$_SERVER['REQUEST_URI']."\n";
- $details .= ($_POST['e-token']) ? "e-token (POST): ".$_POST['e-token']."\n" : "";
- $details .= ($_GET['e-token']) ? "e-token (GET): ".$_GET['e-token']."\n" : "";
- $details .= ($_POST['e_token']) ? "AJAX e_token (POST): ".$_POST['e_token']."\n" : "";
-
- $details .= "_SESSION:\n";
- $details .= print_r($_SESSION,true);
- // $details .= "\n_POST:\n";
- // $details .= print_r($_POST,true);
- // $details .= "\n_GET:\n";
- // $details .= print_r($_GET,true);
- /* if($pref['plug_installed'])
- {
- $details .= "\nPlugins:\n";
- $details .= print_r($pref['plug_installed'],true);
- }*/
-
- $details .= "die = ".($die == true ? 'true' : 'false')."\n\n---------------------------------\n\n";
-
- $log = e107::getAdminLog();
- $log->addDebug($details);
- $log->toFile('Unauthorized_access','Unauthorized access Log', true);
- $log->add('Unauthorized access!', $details, E_LOG_FATAL);
- // e107::getAdminLog()->log_event('Unauthorized access!', $details, E_LOG_FATAL);
- }
-
+ $this->log('Unauthorized access!');
// do not redirect, prevent dead loop, save server resources
if($die == true)
{
@@ -928,6 +950,11 @@ class e_core_session extends e_session
return false;
}
+
+ if(deftrue('e_DEBUG'))
+ {
+ $this->log('Session Token Okay!', E_LOG_NOTICE);
+ }
}
if(!defined('e_TOKEN'))
diff --git a/error.php b/error.php
index f745fa60f..4e92cf019 100644
--- a/error.php
+++ b/error.php
@@ -18,7 +18,7 @@ $_E107 = array(
'no_online',
'no_prunetmp',
);
-
+define('e_TOKEN_DISABLE', true);
require_once("class2.php");
diff --git a/index.php b/index.php
index c6ac2703b..9a73ebdb8 100644
--- a/index.php
+++ b/index.php
@@ -52,7 +52,9 @@
define('ROOT', dirname(__FILE__));
set_include_path(ROOT.PATH_SEPARATOR.get_include_path());
-
+
+
+// define('e_TOKEN_DISABLE', true); // TODO FIXME cause of "Unauthorized Access!" message. SEF URL of Error pages causes e-token refresh.
require_once("class2.php");
// ----------------------------
diff --git a/signup.php b/signup.php
index 9c3b6f053..d988ceb7a 100644
--- a/signup.php
+++ b/signup.php
@@ -127,11 +127,16 @@ class signup
{
private $testMode = false;
+ private $pref = array();
function __construct()
{
$pref = e107::pref('core');
+ $this->pref = $pref;
+
+ $this->pref['user_reg_veri'] = intval($this->pref['user_reg_veri']);
+
if(getperms('0'))
{
$this->testMode = true;
@@ -143,7 +148,7 @@ class signup
$this->processActivationLink();
}
- if((e_QUERY == 'resend') && (!USER || $this->testMode) && ($pref['user_reg_veri'] == 1))
+ if((e_QUERY == 'resend') && (!USER || $this->testMode) && ($this->pref['user_reg_veri'] === 1))
{
if(empty($_POST['submit_resend']))
{
@@ -553,7 +558,7 @@ class signup
}
else
{
- $text .= ($pref['user_reg_veri'] == 2) ? LAN_SIGNUP_37 : str_replace($srch,$repl, LAN_SIGNUP_72);
+ $text .= (intval($pref['user_reg_veri']) === 2) ? LAN_SIGNUP_37 : str_replace($srch,$repl, LAN_SIGNUP_72);
$text .= "
".$adviseLoginName;
}
@@ -564,7 +569,9 @@ class signup
$caption_arr[1] = LAN_SIGNUP_98; // Confirm Email (Email Confirmation)
$caption_arr[2] = LAN_SIGNUP_100; // Approval Pending (Admin Approval)
- $caption = $caption_arr[$pref['user_reg_veri']];
+ $mode = (int) $pref['user_reg_veri'];
+
+ $caption = $caption_arr[$mode];
$ret['text'] = $text;
$ret['caption'] = $caption;
@@ -638,7 +645,7 @@ if (isset($_POST['register']) && intval($pref['user_reg']) === 1)
// generate password if passwords are disabled and email validation is enabled.
$noPasswordInput = e107::getPref('signup_option_password', 2); //0 = generate it.
- if(empty($noPasswordInput) && !isset($_POST['password1']) && intval($pref['user_reg_veri'])===1)
+ if(empty($noPasswordInput) && !isset($_POST['password1']) && $this->pref['user_reg_veri'] === 1)
{
$_POST['password1'] = $userMethods->generateRandomString("#*******#");
$_POST['password2'] = $_POST['password1'];
@@ -892,7 +899,7 @@ if (isset($_POST['register']) && intval($pref['user_reg']) === 1)
if ($pref['user_reg_veri'])
{
// ========== Send Email =========>
- if (($pref['user_reg_veri'] != 2) && $allData['data']['user_email']) // Don't send if email address blank - means that its not compulsory
+ if (((int) $pref['user_reg_veri'] !== 2) && $allData['data']['user_email']) // Don't send if email address blank - means that its not compulsory
{
$allData['data']['user_id'] = $nid; // User ID
// FIXME build while rendering - user::renderEmail()
@@ -1051,6 +1058,7 @@ $rs = new form;
$text = $tp->parseTemplate($SIGNUP_BEGIN.$SIGNUP_BODY.$SIGNUP_END, TRUE, $signup_shortcodes);
$ns->tablerender(LAN_SIGNUP_79, e107::getMessage()->render('default', true).$text, 'signup' );
+
require_once(FOOTERF);
exit;
@@ -1086,4 +1094,4 @@ function headerjs()
}
-?>
+?>
\ No newline at end of file