mirror/php-e107
1
0
Fork 0
mirror of https://github.com/e107inc/e107.git synced 2025-06-09 04:28:29 +02:00
Code Issues Releases Wiki Activity

#1517 Tracing of the 'unauthorized access' issue.

Browse Source
This commit is contained in:
Cameron 2018-03-09 17:52:14 -08:00
parent 0bec81f6d7
commit 15345afb89
4 changed files with 76 additions and 39 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

89
e107_handlers/session_handler.php
View File

@ -729,9 +729,14 @@ class e_session
*/ */
public function getFormToken($in_form = true) public function getFormToken($in_form = true)
{ {
if(!$this->has('__form_token')) if(!$this->has('__form_token') && !defined('e_TOKEN_DISABLE')) // TODO FIXME: SEF URL of Error page causes e-token refresh.
{ {
$this->set('__form_token', uniqid(md5(rand()), true)); $this->set('__form_token', uniqid(md5(rand()), true));
if(deftrue('e_DEBUG_SESSION')) // XXX enable to troubleshoot "Unauthorized Access!" issues.
{
$message = date('r')."\t\t".e_REQUEST_URI."\n";
file_put_contents(__DIR__.'/session.log', $message, FILE_APPEND);
}
} }
return ($in_form ? md5($this->get('__form_token')) : $this->get('__form_token')); return ($in_form ? md5($this->get('__form_token')) : $this->get('__form_token'));
} }
@ -869,7 +874,52 @@ class e_core_session extends e_session
$this->end(); $this->end();
} }
private function log($status, $type=E_LOG_FATAL)
{
// $details = "USER: ".USERNAME."\n";
$details = "HOST: ".$_SERVER['HTTP_HOST']."\n";
$details .= "REQUEST_URI: ".$_SERVER['REQUEST_URI']."\n";
$details .= ($_POST['e-token']) ? "e-token (POST): ".$_POST['e-token']."\n" : "";
$details .= ($_GET['e-token']) ? "e-token (GET): ".$_GET['e-token']."\n" : "";
$details .= ($_POST['e_token']) ? "AJAX e_token (POST): ".$_POST['e_token']."\n" : "";
/*
$utoken = $this->getFormToken(false);
$details .= "raw token: ".$utoken."\n";
$details .= "checkFormToken (e-token should match this): ".md5($utoken)."\n";
$details .= "md5(e-token): ".md5($_POST['e-token'])."\n";*/
/*
$regenerate = $this->get('__form_token_regenerate');
$details .= "Regenerate after: ".date('r', $regenerate)." (".$regenerate.")\n";
*/
$details .= "has __form_token: ";
$details .= empty($this->has('__form_token')) ? 'false' : 'true';
$details .= "\n";
$details .= "_SESSION:\n";
$details .= print_r($_SESSION,true);
/* if($pref['plug_installed'])
{
$details .= "\nPlugins:\n";
$details .= print_r($pref['plug_installed'],true);
}*/
$details .= $status."\n\n---------------------------------\n\n";
$log = e107::getAdminLog();
$log->addDebug($details);
if(deftrue('e_DEBUG'))
{
$log->toFile('Unauthorized_access','Unauthorized access Log', true);
}
$log->add($status, $details, $type);
}
/** /**
* Core CSF protection, see class2.php * Core CSF protection, see class2.php
* Could be adopted by plugins for their own (different) protection logic * Could be adopted by plugins for their own (different) protection logic
@ -886,40 +936,12 @@ class e_core_session extends e_session
if($this->getSessionId()) if($this->getSessionId())
{ {
if((isset($_POST['e-token']) && !$this->checkFormToken($_POST['e-token'])) if((isset($_POST['e-token']) && !$this->checkFormToken($_POST['e-token']))
|| (isset($_GET['e-token']) && !$this->checkFormToken($_GET['e-token'])) || (isset($_GET['e-token']) && !$this->checkFormToken($_GET['e-token']))
|| (isset($_POST['e_token']) && !$this->checkFormToken($_POST['e_token']))) // '-' is not allowed in jquery. b || (isset($_POST['e_token']) && !$this->checkFormToken($_POST['e_token']))) // '-' is not allowed in jquery. b
{ {
// if(defsettrue('e_DEBUG')) $this->log('Unauthorized access!');
{
$details = "USER: ".USERNAME."\n";
$details = "HOST: ".$_SERVER['HTTP_HOST']."\n";
$details .= "REQUEST_URI: ".$_SERVER['REQUEST_URI']."\n";
$details .= ($_POST['e-token']) ? "e-token (POST): ".$_POST['e-token']."\n" : "";
$details .= ($_GET['e-token']) ? "e-token (GET): ".$_GET['e-token']."\n" : "";
$details .= ($_POST['e_token']) ? "AJAX e_token (POST): ".$_POST['e_token']."\n" : "";
$details .= "_SESSION:\n";
$details .= print_r($_SESSION,true);
// $details .= "\n_POST:\n";
// $details .= print_r($_POST,true);
// $details .= "\n_GET:\n";
// $details .= print_r($_GET,true);
/* if($pref['plug_installed'])
{
$details .= "\nPlugins:\n";
$details .= print_r($pref['plug_installed'],true);
}*/
$details .= "die = ".($die == true ? 'true' : 'false')."\n\n---------------------------------\n\n";
$log = e107::getAdminLog();
$log->addDebug($details);
$log->toFile('Unauthorized_access','Unauthorized access Log', true);
$log->add('Unauthorized access!', $details, E_LOG_FATAL);
// e107::getAdminLog()->log_event('Unauthorized access!', $details, E_LOG_FATAL);
}
// do not redirect, prevent dead loop, save server resources // do not redirect, prevent dead loop, save server resources
if($die == true) if($die == true)
{ {
@ -928,6 +950,11 @@ class e_core_session extends e_session
return false; return false;
} }
if(deftrue('e_DEBUG'))
{
$this->log('Session Token Okay!', E_LOG_NOTICE);
}
} }
if(!defined('e_TOKEN')) if(!defined('e_TOKEN'))

2
error.php
View File

@ -18,7 +18,7 @@ $_E107 = array(
'no_online', 'no_online',
'no_prunetmp', 'no_prunetmp',
); );
define('e_TOKEN_DISABLE', true);
require_once("class2.php"); require_once("class2.php");

2
index.php
View File

@ -53,6 +53,8 @@
define('ROOT', dirname(__FILE__)); define('ROOT', dirname(__FILE__));
set_include_path(ROOT.PATH_SEPARATOR.get_include_path()); set_include_path(ROOT.PATH_SEPARATOR.get_include_path());
// define('e_TOKEN_DISABLE', true); // TODO FIXME cause of "Unauthorized Access!" message. SEF URL of Error pages causes e-token refresh.
require_once("class2.php"); require_once("class2.php");
// ---------------------------- // ----------------------------

18
signup.php
View File

@ -127,11 +127,16 @@ class signup
{ {
private $testMode = false; private $testMode = false;
private $pref = array();
function __construct() function __construct()
{ {
$pref = e107::pref('core'); $pref = e107::pref('core');
$this->pref = $pref;
$this->pref['user_reg_veri'] = intval($this->pref['user_reg_veri']);
if(getperms('0')) if(getperms('0'))
{ {
$this->testMode = true; $this->testMode = true;
@ -143,7 +148,7 @@ class signup
$this->processActivationLink(); $this->processActivationLink();
} }
if((e_QUERY == 'resend') && (!USER || $this->testMode) && ($pref['user_reg_veri'] == 1)) if((e_QUERY == 'resend') && (!USER || $this->testMode) && ($this->pref['user_reg_veri'] === 1))
{ {
if(empty($_POST['submit_resend'])) if(empty($_POST['submit_resend']))
{ {
@ -553,7 +558,7 @@ class signup
} }
else else
{ {
$text .= ($pref['user_reg_veri'] == 2) ? LAN_SIGNUP_37 : str_replace($srch,$repl, LAN_SIGNUP_72); $text .= (intval($pref['user_reg_veri']) === 2) ? LAN_SIGNUP_37 : str_replace($srch,$repl, LAN_SIGNUP_72);
$text .= "<br /><br />".$adviseLoginName; $text .= "<br /><br />".$adviseLoginName;
} }
@ -564,7 +569,9 @@ class signup
$caption_arr[1] = LAN_SIGNUP_98; // Confirm Email (Email Confirmation) $caption_arr[1] = LAN_SIGNUP_98; // Confirm Email (Email Confirmation)
$caption_arr[2] = LAN_SIGNUP_100; // Approval Pending (Admin Approval) $caption_arr[2] = LAN_SIGNUP_100; // Approval Pending (Admin Approval)
$caption = $caption_arr[$pref['user_reg_veri']]; $mode = (int) $pref['user_reg_veri'];
$caption = $caption_arr[$mode];
$ret['text'] = $text; $ret['text'] = $text;
$ret['caption'] = $caption; $ret['caption'] = $caption;
@ -638,7 +645,7 @@ if (isset($_POST['register']) && intval($pref['user_reg']) === 1)
// generate password if passwords are disabled and email validation is enabled. // generate password if passwords are disabled and email validation is enabled.
$noPasswordInput = e107::getPref('signup_option_password', 2); //0 = generate it. $noPasswordInput = e107::getPref('signup_option_password', 2); //0 = generate it.
if(empty($noPasswordInput) && !isset($_POST['password1']) && intval($pref['user_reg_veri'])===1) if(empty($noPasswordInput) && !isset($_POST['password1']) && $this->pref['user_reg_veri'] === 1)
{ {
$_POST['password1'] = $userMethods->generateRandomString("#*******#"); $_POST['password1'] = $userMethods->generateRandomString("#*******#");
$_POST['password2'] = $_POST['password1']; $_POST['password2'] = $_POST['password1'];
@ -892,7 +899,7 @@ if (isset($_POST['register']) && intval($pref['user_reg']) === 1)
if ($pref['user_reg_veri']) if ($pref['user_reg_veri'])
{ {
// ========== Send Email =========> // ========== Send Email =========>
if (($pref['user_reg_veri'] != 2) && $allData['data']['user_email']) // Don't send if email address blank - means that its not compulsory if (((int) $pref['user_reg_veri'] !== 2) && $allData['data']['user_email']) // Don't send if email address blank - means that its not compulsory
{ {
$allData['data']['user_id'] = $nid; // User ID $allData['data']['user_id'] = $nid; // User ID
// FIXME build while rendering - user::renderEmail() // FIXME build while rendering - user::renderEmail()
@ -1051,6 +1058,7 @@ $rs = new form;
$text = $tp->parseTemplate($SIGNUP_BEGIN.$SIGNUP_BODY.$SIGNUP_END, TRUE, $signup_shortcodes); $text = $tp->parseTemplate($SIGNUP_BEGIN.$SIGNUP_BODY.$SIGNUP_END, TRUE, $signup_shortcodes);
$ns->tablerender(LAN_SIGNUP_79, e107::getMessage()->render('default', true).$text, 'signup' ); $ns->tablerender(LAN_SIGNUP_79, e107::getMessage()->render('default', true).$text, 'signup' );
require_once(FOOTERF); require_once(FOOTERF);
exit; exit;