Issue #4356 Fixes a conflic with secureImage prefs. Added secureImage tests.

2025-01-16 12:18:39 +01:00 · 2021-02-02 19:18:44 -08:00 · 2021-02-02 19:18:44 -08:00 · 4b6d23dbf6
commit 4b6d23dbf6
parent d1f997ee2c
7 changed files with 220 additions and 92 deletions
--- a/e107_admin/auth.php
+++ b/e107_admin/auth.php
@ -25,7 +25,7 @@ e107::getDebug()->logTime('(Start auth.php)');
 define('e_CAPTCHA_FONTCOLOR','#F9A533');

 // Required for a clean v1.x -> v2 upgrade. 
-$core = e107::getConfig('core');
+$core = e107::getConfig();
 $adminTheme = $core->get('admintheme');
 if($adminTheme !== 'bootstrap3' && $adminTheme !== 'bootstrap5')
 {
@ -123,31 +123,19 @@ else

 	$use_imagecode = (vartrue($pref['admincode']) && extension_loaded("gd"));

-
 	// login check.
 	if(!empty($_POST['authsubmit']))
 	{
-
-		if ($use_imagecode)
-		{	
-			if ($sec_img->invalidCode($_POST['rand_num'], $_POST['code_verify']))
-			{
-				e107::getRedirect()->redirect('admin.php?failed');
-				exit;
-			}
-		}
-
-		if(e107::getUser()->login($_POST['authname'], $_POST['authpass'], false, varset($_POST['hashchallenge']), true)!==false)
+		if(e107::getUser()->login($_POST['authname'], $_POST['authpass'], false, varset($_POST['hashchallenge'])) !== false)
 		{
-			e107::getRedirect()->go('admin');
+			e107::getRedirect()->go('admin'); // successful login.
 		}
 		else
 		{
 			e107::coreLan('log_messages', true);
 			e107::getLog()->addEvent(4, __FILE__."|".__FUNCTION__."@".__LINE__, "LOGIN", LAN_ROLL_LOG_11, "U: ".$tp->toDB($_POST['authname']), FALSE, LOG_TO_ROLLING);
-		//	echo "<script type='text/javascript'>document.location.href='../index.php'</script>\n";
-			e107::getRedirect()->redirect('admin.php?failed');

+			e107::getRedirect()->redirect('admin.php?failed');
 		}

 		exit;
@ -241,12 +229,15 @@ else
 			
 			h2					{ text-align: center; color: #FAAD3D;  }
 			
-			#username			{background: url(".e_IMAGE."admin_images/admins_16.png) no-repeat scroll 7px 9px; padding:7px; padding-left:30px; width:80%; max-width:218px; }
+			#username           { background: url(".e_IMAGE."admin_images/admins_16.png) no-repeat scroll 7px 9px; padding:7px; padding-left:30px; width:80%; max-width:218px; }

-			#userpass			{background: url(".e_IMAGE."admin_images/lock_16.png) no-repeat scroll 7px 9px; padding:7px;padding-left:30px; width:80%; max-width:218px; }
+			#userpass           { background: url(".e_IMAGE."admin_images/lock_16.png) no-repeat scroll 7px 9px; padding:7px;padding-left:30px; width:80%; max-width:218px; }

 			#code-verify		{ width: 220px; padding: 7px; margin-left: auto; margin-right: auto; }

+			input, input:focus, 
+			input:hover         { color: rgb(238, 238, 238); background-color: #222222 !important }
+			
 			input[disabled] 	{ color: silver;	}
 			button[disabled] span	{	color: silver;	}
 			.title_clean		{ display:none; }
@ -324,15 +315,15 @@ class auth
 		    	<div class='field-help' data-placement='right'>".LAN_PWD_REQUIRED."</div>
 		    </div>";
 		
-		if ($use_imagecode)
-		{
-			$text .= "
-			<div class='field'>
-				<label for='code-verify'>".LAN_ENTER_CODE."</label>"
-				.$sec_img->renderImage().
-				$sec_img->renderInput()."	
-			</div>";
-		}
+			if ($use_imagecode)
+			{
+				$text .= "
+				<div class='field'>
+					<label for='code-verify'>".LAN_ENTER_CODE."</label>"
+					.$sec_img->renderImage().
+					$sec_img->renderInput()."	
+				</div>";
+			}
 			    
 		    $text .= "<div class='admin-submit'>"
 		       	.$frm->admin_button('authsubmit',ADLAN_91,'login');				
--- a/e107_handlers/e107_class.php
+++ b/e107_handlers/e107_class.php
@ -3753,9 +3753,8 @@ class e107

 		$ret = self::includeLan($path);
 		
-		if(($ret === false) && defset('E107_DEBUG_LEVEL') > 0 && strpos($path, '_global.php') === false )
+		if(($ret === false) && deftrue('E107_DBG_INCLUDES') && strpos($path, '_global.php') === false )
 		{
-
 			$result = debug_backtrace(DEBUG_BACKTRACE_IGNORE_ARGS, 4);
 			self::getDebug()->log("Couldn't load: ".$path.print_a($result,true));
 		}
--- a/e107_handlers/login.php
+++ b/e107_handlers/login.php
@ -45,7 +45,7 @@ class userlogin
 	protected $userData = array();	// Information for current user
 	protected $passResult = false;	// USed to determine if stored password needs update
 	protected $testMode   = false;
-
+	protected $secImageType = 'logcode';

 	public function __construct()
 	{
@ -54,6 +54,18 @@ class userlogin
 		$this->userMethods = e107::getUserSession();
 	}

+	public function setSecureImageMode($area)
+	{
+		$modes = array(
+			'admin' => 'admincode',
+			'login' => 'logcode',
+		//	'fpw'   => '',
+		);
+
+		$this->secImageType = varset($modes[$area],'not-a-pref');
+
+	}
+
 	/**
 	# Class called when user attempts to log in
 	#
@ -161,7 +173,7 @@ class userlogin
 		$username = preg_replace("/\sOR\s|\=|\#/", "", $username);

 		// Check secure image
-		if (!$forceLogin && $pref['logcode'] && extension_loaded('gd'))
+		if (!$forceLogin && !empty($pref[$this->secImageType]) && extension_loaded('gd'))
 		{
 			if ($secImgResult = e107::getSecureImg()->invalidCode($_POST['rand_num'], $_POST['code_verify'])) // Invalid code
 			{
--- a/e107_handlers/secure_img_handler.php
+++ b/e107_handlers/secure_img_handler.php
@ -16,9 +16,9 @@ class secure_image
 	protected $HANDLERS_DIRECTORY;
 	protected $IMAGES_DIRECTORY;
 	protected $FONTS_DIRECTORY;
-	protected $THIS_DIR;
 	protected $BASE_DIR;
 	public $FONT_COLOR = "90,90,90";
+	private $secret;

 	function __construct()
 	{
@ -29,8 +29,8 @@ class secure_image
 	 		return call_user_func($user_func);
 		}
 * */
-		list($usec, $sec) = explode(" ", microtime());
-		$this->random_number = str_replace(".", "", $sec.$usec);
+        $this->createCode();
+
        $this->BASE_DIR             = e_BASE;

        $CORE_DIRECTORY             = e107::getFolder('CORE');
@ -40,74 +40,83 @@ class secure_image

 	}

+	/**
+	 * @deprecated Use createCode() instead.
+	 * Legacy version of createCode();
+	 * @return int
+	 */
+	public function create_code()
+	{
+		return $this->createCode();
+	}


-	function create_code()
+	/**
+	 * Generates a public code and a secret code. Returns the public code.
+	 * @return int
+	 */
+	public function createCode()
 	{
 		if ($user_func = e107::getOverride()->check($this,'create_code'))
 		{
 	 		return call_user_func($user_func);
 		}

-	//	$pref = e107::getPref();
-	//	$sql = e107::getDb();
+		list($usec, $sec)     = explode(" ", microtime());
+		$this->random_number  = str_replace(".", "", $sec.$usec);

-	//	mt_srand ((double)microtime() * 1000000);
-	//	$maxran = 1000000;
-	//	$rand_num = mt_rand(0, $maxran);
-	//	$datekey = date("r");
-	//	$rcode = hexdec(md5($_SERVER['HTTP_USER_AGENT'] . serialize($pref). $rand_num . $datekey));
-	//	$code = substr($rcode, 2, 6);
-		$recnum = $this->random_number;
-	//	$del_time = time()+1200;
+		$this->secret = e107::getUserSession()->generateRandomString('*****');

-		$code =e107::getUserSession()->generateRandomString('*****');
+		e107::getSession('secureImage')->set($this->random_number, $this->secret);

-		$_SESSION['secure_img'][$recnum] = $code;
-
-		return $recnum;
+		return $this->random_number;
 	}

-	/* Return TRUE if code is valid, otherwise return FALSE 
-	 * 
+	/**
+	 * The secret code that should be entered by the user. Must be called after createCode();
+	 * @return mixed
 	 */
-	function verify_code($recnum, $checkstr)
+	public function getSecret()
+	{
+		return $this->secret;
+	}
+
+
+	/**
+	 * @deprecated Use invalidCode() instead. Returns true when the code doesn't match.
+	 * Return true if code is valid, otherwise return FALSE
+	 * @param integer $recnum The public code - returned by create_code()
+	 * @param string $checkstr - code entered by the user.
+	 * @return bool|mixed
+	 */
+	public function verify_code($recnum, $checkstr)
 	{
 		if ($user_func = e107::getOverride()->check($this,'verify_code'))
 		{
 	 		return call_user_func($user_func,$recnum,$checkstr);
 		}
-		
-	//	$sql = e107::getDb();
-	//	$tp = e107::getParser();

-		if(!empty($_SESSION['secure_img'][$recnum]) && $_SESSION['secure_img'][$recnum] === $checkstr )
+		$secret = e107::getSession('secureImage')->get($recnum);
+
+		if(!empty($secret) && ($secret === $checkstr))
 		{
-			unset($_SESSION['secure_img']);
+			e107::getSession('secureImage')->clear();
+
 			return true;
 		}
 		else
 		{
 			return false;
 		}
-/*
-		if ($sql->select("tmp", "tmp_info", "tmp_ip = '".$tp -> toDB($rec_num)."'")) {
-			$row = $sql->fetch();
-			$sql->delete("tmp", "tmp_ip = '".$tp -> toDB($rec_num)."'");
-			//list($code, $path) = explode(",", $row['tmp_info']);
-			$code = intval($row['tmp_info']);
-			return ($checkstr == $code);
-		}
-		return FALSE;*/
+
 	}
 	
-	
-	
-	// Return an Error message (true) if check fails, otherwise return false. 
+
 	/**
+	 * Returns an Error message (true) if check fails, otherwise return false.
 	 * @param $rec_num
 	 * @param $checkstr
-	 * @return bool|mixed|string
+	 * @return bool
 	 */
 	function invalidCode($rec_num=null, $checkstr=null)
 	{
@ -124,16 +133,15 @@ class secure_image
 		{
 			return LAN_INVALID_CODE;	
 		}
-		

 	}
 	
-	
-	//XXX Discuss - Add more posibilities for themers? e_CAPTCHA_BGIMAGE, e_CAPTCH_WIDTH, e_CAPTCHA_HEIGHT?
+
 	/**
-	 * @return mixed|string
+	 * @deprecated Use renderImage() instead.
+	 * @return string
 	 */
-	function r_image()
+	public function r_image()
 	{
 		if ($user_func = e107::getOverride()->check($this,'r_image'))
 		{
@ -148,21 +156,22 @@ class secure_image
 		{
 			$color = 'cccccc';		
 		}
-		
-		$code = $this->create_code();
-		return "<img src='".e_IMAGE_ABS."secimg.php?id={$code}&amp;clr={$color}' class='icon secure-image' alt='Missing Code' style='max-width:100%' />";
+	
+		return "<img src='".e_IMAGE_ABS."secimg.php?id={$this->random_number}&amp;clr={$color}' class='icon secure-image' alt='Missing Code' style='max-width:100%' />";
 	}
-	
-	
-	
-	
-	function renderImage() // Alias of r_image
+
+
+	/**
+	 * Return the rendered code/image.
+	 * @return mixed|string
+	 */
+	public function renderImage() // Alias of r_image
 	{
 		return $this->r_image();			
 	}


-	function hex2rgb($hex) 
+	private function hex2rgb($hex)
 	{
 		$hex = str_replace("#", "", $hex);

@ -186,7 +195,8 @@ class secure_image


 	/**
-	 * @return mixed|string
+	 * Render the input where the user will enter the code.
+	 * @return string
 	 */
 	function renderInput()
 	{
@ -202,6 +212,7 @@ class secure_image


 	/**
+	 * Return the label to accompany the input.
 	 * @return mixed|string
 	 */
 	function renderLabel()
@ -259,9 +270,9 @@ class secure_image
 	//	$code = intval($row['tmp_info']); // new value


-		if(isset($_SESSION['secure_img'][$recnum]))
+		if($tmp = e107::getSession('secureImage')->get($recnum))
 		{
-			$code = $_SESSION['secure_img'][$recnum];
+			$code = $tmp; 
 		}
 		else
 		{
@ -433,7 +444,7 @@ class secure_image
 	}


-	function imageCreateTransparent($x, $y) 
+	private function imageCreateTransparent($x, $y)
 	{
    	$imageOut = imagecreatetruecolor($x, $y);
    	$backgroundColor = imagecolorallocatealpha($imageOut, 0, 0, 0, 127);
--- a/e107_handlers/user_model.php
+++ b/e107_handlers/user_model.php
@ -1785,6 +1785,12 @@ class e_user extends e_user_model
 		}

 		$userlogin = new userlogin();
+
+		if(e_PAGE === 'admin.php')
+		{
+			$userlogin->setSecureImageMode('admin'); // use the admin secure code pref.
+		}
+
 		$loginSuccess = $userlogin->login($uname, $upass_plain, $uauto, $uchallange, $noredirect);

 		$userdata  = $userlogin->getUserData(); 
--- a/e107_images/secimg.php
+++ b/e107_images/secimg.php
@ -47,16 +47,15 @@ if(!isset($mySQLserver))

 // require_once(realpath(e_BASE.$HANDLERS_DIRECTORY.DIRECTORY_SEPARATOR."secure_img_handler.php"));

-require_once(e_HANDLER."secure_img_handler.php");
+$sim = e107::getSecureImg();

-$sim = new secure_image();

 if(!isset($_GET['id']))
 {
 	exit;	
 }

-$code = $_GET['id'];
+$code = (int) $_GET['id'];

 if(!empty($_GET['clr']) && preg_match('/^[a-f0-9]{6}$/i', $_GET['clr'])) //hex color is valid
 {
@ -72,4 +71,3 @@ $sim->render($code,$color);

 exit;

-?>
--- a/e107_tests/tests/unit/secure_imageTest.php
+++ b/e107_tests/tests/unit/secure_imageTest.php
@ -0,0 +1,111 @@
+<?php
+
+
+	class secure_imageTest extends \Codeception\Test\Unit
+	{
+
+		/** @var secure_image */
+		protected $si;
+
+		protected function _before()
+		{
+
+			try
+			{
+				$this->si = e107::getSecureImg();
+			}
+
+			catch(Exception $e)
+			{
+				$this->assertTrue(false, $e->getMessage());
+			}
+
+		}
+
+		public function testCodeAndVerify()
+		{
+			$code = $this->si->create_code();
+
+			$this->si->renderImage();
+			$this->si->renderInput();
+
+			$secret = $this->si->getSecret();
+
+			$result = $this->si->invalidCode($code, $secret);
+			$this->assertFalse($result);
+
+			$code = $this->si->create_code(); // code above is destroyed upon successful match.
+			$secret = $this->si->getSecret();
+			$result = $this->si->verify_code($code, $secret);
+			$this->assertTrue($result);
+
+			$code = $this->si->create_code();
+			$result = $this->si->invalidCode($code, 'bad code');
+			$this->assertSame('Incorrect code entered.', $result);
+
+
+			$result = $this->si->verify_code($code, 'bad code');
+			$this->assertFalse($result);
+
+
+		}
+/*
+		public function testInvalidCode()
+		{
+
+		}
+
+		public function testRenderImage()
+		{
+
+		}
+
+		public function testCreate_code()
+		{
+
+		}
+
+		public function testHex2rgb()
+		{
+
+		}
+
+		public function testRender()
+		{
+
+		}
+
+		public function testRenderLabel()
+		{
+
+		}
+
+		public function test__construct()
+		{
+
+		}
+
+		public function testR_image()
+		{
+
+		}
+
+		public function testRenderInput()
+		{
+
+		}
+
+		public function testVerify_code()
+		{
+
+		}
+
+		public function testImageCreateTransparent()
+		{
+
+		}
+*/
+
+
+
+	}