mirror/php-e107
1
0
Fork 0
mirror of https://github.com/e107inc/e107.git synced 2025-01-16 20:28:28 +01:00
Code Issues Releases Wiki Activity

Issue #4356 Fixes a conflic with secureImage prefs. Added secureImage tests.

Browse Source
This commit is contained in:
Cameron 2021-02-02 19:18:44 -08:00
parent d1f997ee2c
commit 4b6d23dbf6
7 changed files with 220 additions and 92 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

45
e107_admin/auth.php
View File

@ -25,7 +25,7 @@ e107::getDebug()->logTime('(Start auth.php)');
define('e_CAPTCHA_FONTCOLOR','#F9A533'); define('e_CAPTCHA_FONTCOLOR','#F9A533');
// Required for a clean v1.x -> v2 upgrade. // Required for a clean v1.x -> v2 upgrade.
$core = e107::getConfig('core'); $core = e107::getConfig();
$adminTheme = $core->get('admintheme'); $adminTheme = $core->get('admintheme');
if($adminTheme !== 'bootstrap3' && $adminTheme !== 'bootstrap5') if($adminTheme !== 'bootstrap3' && $adminTheme !== 'bootstrap5')
{ {
@ -123,31 +123,19 @@ else
$use_imagecode = (vartrue($pref['admincode']) && extension_loaded("gd")); $use_imagecode = (vartrue($pref['admincode']) && extension_loaded("gd"));
// login check. // login check.
if(!empty($_POST['authsubmit'])) if(!empty($_POST['authsubmit']))
{ {
if(e107::getUser()->login($_POST['authname'], $_POST['authpass'], false, varset($_POST['hashchallenge'])) !== false)
if ($use_imagecode)
{
if ($sec_img->invalidCode($_POST['rand_num'], $_POST['code_verify']))
{
e107::getRedirect()->redirect('admin.php?failed');
exit;
}
}
if(e107::getUser()->login($_POST['authname'], $_POST['authpass'], false, varset($_POST['hashchallenge']), true)!==false)
{ {
e107::getRedirect()->go('admin'); e107::getRedirect()->go('admin'); // successful login.
} }
else else
{ {
e107::coreLan('log_messages', true); e107::coreLan('log_messages', true);
e107::getLog()->addEvent(4, __FILE__."|".__FUNCTION__."@".__LINE__, "LOGIN", LAN_ROLL_LOG_11, "U: ".$tp->toDB($_POST['authname']), FALSE, LOG_TO_ROLLING); e107::getLog()->addEvent(4, __FILE__."|".__FUNCTION__."@".__LINE__, "LOGIN", LAN_ROLL_LOG_11, "U: ".$tp->toDB($_POST['authname']), FALSE, LOG_TO_ROLLING);
// echo "<script type='text/javascript'>document.location.href='../index.php'</script>\n";
e107::getRedirect()->redirect('admin.php?failed');
e107::getRedirect()->redirect('admin.php?failed');
} }
exit; exit;
@ -241,12 +229,15 @@ else
h2 { text-align: center; color: #FAAD3D; } h2 { text-align: center; color: #FAAD3D; }
#username {background: url(".e_IMAGE."admin_images/admins_16.png) no-repeat scroll 7px 9px; padding:7px; padding-left:30px; width:80%; max-width:218px; } #username { background: url(".e_IMAGE."admin_images/admins_16.png) no-repeat scroll 7px 9px; padding:7px; padding-left:30px; width:80%; max-width:218px; }
#userpass {background: url(".e_IMAGE."admin_images/lock_16.png) no-repeat scroll 7px 9px; padding:7px;padding-left:30px; width:80%; max-width:218px; } #userpass { background: url(".e_IMAGE."admin_images/lock_16.png) no-repeat scroll 7px 9px; padding:7px;padding-left:30px; width:80%; max-width:218px; }
#code-verify { width: 220px; padding: 7px; margin-left: auto; margin-right: auto; } #code-verify { width: 220px; padding: 7px; margin-left: auto; margin-right: auto; }
input, input:focus,
input:hover { color: rgb(238, 238, 238); background-color: #222222 !important }
input[disabled] { color: silver; } input[disabled] { color: silver; }
button[disabled] span { color: silver; } button[disabled] span { color: silver; }
.title_clean { display:none; } .title_clean { display:none; }
@ -324,15 +315,15 @@ class auth
<div class='field-help' data-placement='right'>".LAN_PWD_REQUIRED."</div> <div class='field-help' data-placement='right'>".LAN_PWD_REQUIRED."</div>
</div>"; </div>";
if ($use_imagecode) if ($use_imagecode)
{ {
$text .= " $text .= "
<div class='field'> <div class='field'>
<label for='code-verify'>".LAN_ENTER_CODE."</label>" <label for='code-verify'>".LAN_ENTER_CODE."</label>"
.$sec_img->renderImage(). .$sec_img->renderImage().
$sec_img->renderInput()." $sec_img->renderInput()."
</div>"; </div>";
} }
$text .= "<div class='admin-submit'>" $text .= "<div class='admin-submit'>"
.$frm->admin_button('authsubmit',ADLAN_91,'login'); .$frm->admin_button('authsubmit',ADLAN_91,'login');

3
e107_handlers/e107_class.php
View File

@ -3753,9 +3753,8 @@ class e107
$ret = self::includeLan($path); $ret = self::includeLan($path);
if(($ret === false) && defset('E107_DEBUG_LEVEL') > 0 && strpos($path, '_global.php') === false ) if(($ret === false) && deftrue('E107_DBG_INCLUDES') && strpos($path, '_global.php') === false )
{ {
$result = debug_backtrace(DEBUG_BACKTRACE_IGNORE_ARGS, 4); $result = debug_backtrace(DEBUG_BACKTRACE_IGNORE_ARGS, 4);
self::getDebug()->log("Couldn't load: ".$path.print_a($result,true)); self::getDebug()->log("Couldn't load: ".$path.print_a($result,true));
} }

16
e107_handlers/login.php
View File

@ -45,7 +45,7 @@ class userlogin
protected $userData = array(); // Information for current user protected $userData = array(); // Information for current user
protected $passResult = false; // USed to determine if stored password needs update protected $passResult = false; // USed to determine if stored password needs update
protected $testMode = false; protected $testMode = false;
protected $secImageType = 'logcode';
public function __construct() public function __construct()
{ {
@ -54,6 +54,18 @@ class userlogin
$this->userMethods = e107::getUserSession(); $this->userMethods = e107::getUserSession();
} }
public function setSecureImageMode($area)
{
$modes = array(
'admin' => 'admincode',
'login' => 'logcode',
// 'fpw' => '',
);
$this->secImageType = varset($modes[$area],'not-a-pref');
}
/** /**
# Class called when user attempts to log in # Class called when user attempts to log in
# #
@ -161,7 +173,7 @@ class userlogin
$username = preg_replace("/\sOR\s|\=|\#/", "", $username); $username = preg_replace("/\sOR\s|\=|\#/", "", $username);
// Check secure image // Check secure image
if (!$forceLogin && $pref['logcode'] && extension_loaded('gd')) if (!$forceLogin && !empty($pref[$this->secImageType]) && extension_loaded('gd'))
{ {
if ($secImgResult = e107::getSecureImg()->invalidCode($_POST['rand_num'], $_POST['code_verify'])) // Invalid code if ($secImgResult = e107::getSecureImg()->invalidCode($_POST['rand_num'], $_POST['code_verify'])) // Invalid code
{ {

125
e107_handlers/secure_img_handler.php
View File

@ -16,9 +16,9 @@ class secure_image
protected $HANDLERS_DIRECTORY; protected $HANDLERS_DIRECTORY;
protected $IMAGES_DIRECTORY; protected $IMAGES_DIRECTORY;
protected $FONTS_DIRECTORY; protected $FONTS_DIRECTORY;
protected $THIS_DIR;
protected $BASE_DIR; protected $BASE_DIR;
public $FONT_COLOR = "90,90,90"; public $FONT_COLOR = "90,90,90";
private $secret;
function __construct() function __construct()
{ {
@ -29,8 +29,8 @@ class secure_image
return call_user_func($user_func); return call_user_func($user_func);
} }
* */ * */
list($usec, $sec) = explode(" ", microtime()); $this->createCode();
$this->random_number = str_replace(".", "", $sec.$usec);
$this->BASE_DIR = e_BASE; $this->BASE_DIR = e_BASE;
$CORE_DIRECTORY = e107::getFolder('CORE'); $CORE_DIRECTORY = e107::getFolder('CORE');
@ -40,74 +40,83 @@ class secure_image
} }
/**
* @deprecated Use createCode() instead.
* Legacy version of createCode();
* @return int
*/
public function create_code()
{
return $this->createCode();
}
function create_code() /**
* Generates a public code and a secret code. Returns the public code.
* @return int
*/
public function createCode()
{ {
if ($user_func = e107::getOverride()->check($this,'create_code')) if ($user_func = e107::getOverride()->check($this,'create_code'))
{ {
return call_user_func($user_func); return call_user_func($user_func);
} }
// $pref = e107::getPref(); list($usec, $sec) = explode(" ", microtime());
// $sql = e107::getDb(); $this->random_number = str_replace(".", "", $sec.$usec);
// mt_srand ((double)microtime() * 1000000); $this->secret = e107::getUserSession()->generateRandomString('*****');
// $maxran = 1000000;
// $rand_num = mt_rand(0, $maxran);
// $datekey = date("r");
// $rcode = hexdec(md5($_SERVER['HTTP_USER_AGENT'] . serialize($pref). $rand_num . $datekey));
// $code = substr($rcode, 2, 6);
$recnum = $this->random_number;
// $del_time = time()+1200;
$code =e107::getUserSession()->generateRandomString('*****'); e107::getSession('secureImage')->set($this->random_number, $this->secret);
$_SESSION['secure_img'][$recnum] = $code; return $this->random_number;
return $recnum;
} }
/* Return TRUE if code is valid, otherwise return FALSE /**
* * The secret code that should be entered by the user. Must be called after createCode();
* @return mixed
*/ */
function verify_code($recnum, $checkstr) public function getSecret()
{
return $this->secret;
}
/**
* @deprecated Use invalidCode() instead. Returns true when the code doesn't match.
* Return true if code is valid, otherwise return FALSE
* @param integer $recnum The public code - returned by create_code()
* @param string $checkstr - code entered by the user.
* @return bool|mixed
*/
public function verify_code($recnum, $checkstr)
{ {
if ($user_func = e107::getOverride()->check($this,'verify_code')) if ($user_func = e107::getOverride()->check($this,'verify_code'))
{ {
return call_user_func($user_func,$recnum,$checkstr); return call_user_func($user_func,$recnum,$checkstr);
} }
// $sql = e107::getDb();
// $tp = e107::getParser();
if(!empty($_SESSION['secure_img'][$recnum]) && $_SESSION['secure_img'][$recnum] === $checkstr ) $secret = e107::getSession('secureImage')->get($recnum);
if(!empty($secret) && ($secret === $checkstr))
{ {
unset($_SESSION['secure_img']); e107::getSession('secureImage')->clear();
return true; return true;
} }
else else
{ {
return false; return false;
} }
/*
if ($sql->select("tmp", "tmp_info", "tmp_ip = '".$tp -> toDB($rec_num)."'")) {
$row = $sql->fetch();
$sql->delete("tmp", "tmp_ip = '".$tp -> toDB($rec_num)."'");
//list($code, $path) = explode(",", $row['tmp_info']);
$code = intval($row['tmp_info']);
return ($checkstr == $code);
}
return FALSE;*/
} }
// Return an Error message (true) if check fails, otherwise return false.
/** /**
* Returns an Error message (true) if check fails, otherwise return false.
* @param $rec_num * @param $rec_num
* @param $checkstr * @param $checkstr
* @return bool|mixed|string * @return bool
*/ */
function invalidCode($rec_num=null, $checkstr=null) function invalidCode($rec_num=null, $checkstr=null)
{ {
@ -124,16 +133,15 @@ class secure_image
{ {
return LAN_INVALID_CODE; return LAN_INVALID_CODE;
} }
} }
//XXX Discuss - Add more posibilities for themers? e_CAPTCHA_BGIMAGE, e_CAPTCH_WIDTH, e_CAPTCHA_HEIGHT?
/** /**
* @return mixed|string * @deprecated Use renderImage() instead.
* @return string
*/ */
function r_image() public function r_image()
{ {
if ($user_func = e107::getOverride()->check($this,'r_image')) if ($user_func = e107::getOverride()->check($this,'r_image'))
{ {
@ -148,21 +156,22 @@ class secure_image
{ {
$color = 'cccccc'; $color = 'cccccc';
} }
$code = $this->create_code(); return "<img src='".e_IMAGE_ABS."secimg.php?id={$this->random_number}&amp;clr={$color}' class='icon secure-image' alt='Missing Code' style='max-width:100%' />";
return "<img src='".e_IMAGE_ABS."secimg.php?id={$code}&amp;clr={$color}' class='icon secure-image' alt='Missing Code' style='max-width:100%' />";
} }
/**
* Return the rendered code/image.
function renderImage() // Alias of r_image * @return mixed|string
*/
public function renderImage() // Alias of r_image
{ {
return $this->r_image(); return $this->r_image();
} }
function hex2rgb($hex) private function hex2rgb($hex)
{ {
$hex = str_replace("#", "", $hex); $hex = str_replace("#", "", $hex);
@ -186,7 +195,8 @@ class secure_image
/** /**
* @return mixed|string * Render the input where the user will enter the code.
* @return string
*/ */
function renderInput() function renderInput()
{ {
@ -202,6 +212,7 @@ class secure_image
/** /**
* Return the label to accompany the input.
* @return mixed|string * @return mixed|string
*/ */
function renderLabel() function renderLabel()
@ -259,9 +270,9 @@ class secure_image
// $code = intval($row['tmp_info']); // new value // $code = intval($row['tmp_info']); // new value
if(isset($_SESSION['secure_img'][$recnum])) if($tmp = e107::getSession('secureImage')->get($recnum))
{ {
$code = $_SESSION['secure_img'][$recnum]; $code = $tmp;
} }
else else
{ {
@ -433,7 +444,7 @@ class secure_image
} }
function imageCreateTransparent($x, $y) private function imageCreateTransparent($x, $y)
{ {
$imageOut = imagecreatetruecolor($x, $y); $imageOut = imagecreatetruecolor($x, $y);
$backgroundColor = imagecolorallocatealpha($imageOut, 0, 0, 0, 127); $backgroundColor = imagecolorallocatealpha($imageOut, 0, 0, 0, 127);

6
e107_handlers/user_model.php
View File

@ -1785,6 +1785,12 @@ class e_user extends e_user_model
} }
$userlogin = new userlogin(); $userlogin = new userlogin();
if(e_PAGE === 'admin.php')
{
$userlogin->setSecureImageMode('admin'); // use the admin secure code pref.
}
$loginSuccess = $userlogin->login($uname, $upass_plain, $uauto, $uchallange, $noredirect); $loginSuccess = $userlogin->login($uname, $upass_plain, $uauto, $uchallange, $noredirect);
$userdata = $userlogin->getUserData(); $userdata = $userlogin->getUserData();

6
e107_images/secimg.php
View File

@ -47,16 +47,15 @@ if(!isset($mySQLserver))
// require_once(realpath(e_BASE.$HANDLERS_DIRECTORY.DIRECTORY_SEPARATOR."secure_img_handler.php")); // require_once(realpath(e_BASE.$HANDLERS_DIRECTORY.DIRECTORY_SEPARATOR."secure_img_handler.php"));
require_once(e_HANDLER."secure_img_handler.php"); $sim = e107::getSecureImg();
$sim = new secure_image();
if(!isset($_GET['id'])) if(!isset($_GET['id']))
{ {
exit; exit;
} }
$code = $_GET['id']; $code = (int) $_GET['id'];
if(!empty($_GET['clr']) && preg_match('/^[a-f0-9]{6}$/i', $_GET['clr'])) //hex color is valid if(!empty($_GET['clr']) && preg_match('/^[a-f0-9]{6}$/i', $_GET['clr'])) //hex color is valid
{ {
@ -72,4 +71,3 @@ $sim->render($code,$color);
exit; exit;
?>

111
e107_tests/tests/unit/secure_imageTest.php Normal file
View File

@ -0,0 +1,111 @@
<?php
class secure_imageTest extends \Codeception\Test\Unit
{
/** @var secure_image */
protected $si;
protected function _before()
{
try
{
$this->si = e107::getSecureImg();
}
catch(Exception $e)
{
$this->assertTrue(false, $e->getMessage());
}
}
public function testCodeAndVerify()
{
$code = $this->si->create_code();
$this->si->renderImage();
$this->si->renderInput();
$secret = $this->si->getSecret();
$result = $this->si->invalidCode($code, $secret);
$this->assertFalse($result);
$code = $this->si->create_code(); // code above is destroyed upon successful match.
$secret = $this->si->getSecret();
$result = $this->si->verify_code($code, $secret);
$this->assertTrue($result);
$code = $this->si->create_code();
$result = $this->si->invalidCode($code, 'bad code');
$this->assertSame('Incorrect code entered.', $result);
$result = $this->si->verify_code($code, 'bad code');
$this->assertFalse($result);
}
/*
public function testInvalidCode()
{
}
public function testRenderImage()
{
}
public function testCreate_code()
{
}
public function testHex2rgb()
{
}
public function testRender()
{
}
public function testRenderLabel()
{
}
public function test__construct()
{
}
public function testR_image()
{
}
public function testRenderInput()
{
}
public function testVerify_code()
{
}
public function testImageCreateTransparent()
{
}
*/
}