mirror/php-e107
1
0
Fork 0
mirror of https://github.com/e107inc/e107.git synced 2025-01-16 20:28:28 +01:00
Code Issues Releases Wiki Activity

Issue #4356 Fixes a conflic with secureImage prefs. Added secureImage tests.

Browse Source
This commit is contained in:
Cameron 2021-02-02 19:18:44 -08:00
parent d1f997ee2c
commit 4b6d23dbf6
7 changed files with 220 additions and 92 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
e107_admin/auth.php
View File

@ -25,7 +25,7 @@ e107::getDebug()->logTime('(Start auth.php)');
define('e_CAPTCHA_FONTCOLOR','#F9A533');
// Required for a clean v1.x -> v2 upgrade.
$core = e107::getConfig('core');
$core = e107::getConfig();
$adminTheme = $core->get('admintheme');
if($adminTheme !== 'bootstrap3' && $adminTheme !== 'bootstrap5')
{
@ -123,31 +123,19 @@ else
$use_imagecode = (vartrue($pref['admincode']) && extension_loaded("gd"));
// login check.
if(!empty($_POST['authsubmit']))
{
if ($use_imagecode)
if(e107::getUser()->login($_POST['authname'], $_POST['authpass'], false, varset($_POST['hashchallenge'])) !== false)
{
if ($sec_img->invalidCode($_POST['rand_num'], $_POST['code_verify']))
{
e107::getRedirect()->redirect('admin.php?failed');
exit;
}
}
if(e107::getUser()->login($_POST['authname'], $_POST['authpass'], false, varset($_POST['hashchallenge']), true)!==false)
{
e107::getRedirect()->go('admin');
e107::getRedirect()->go('admin'); // successful login.
}
else
{
e107::coreLan('log_messages', true);
e107::getLog()->addEvent(4, __FILE__."|".__FUNCTION__."@".__LINE__, "LOGIN", LAN_ROLL_LOG_11, "U: ".$tp->toDB($_POST['authname']), FALSE, LOG_TO_ROLLING);
// echo "<script type='text/javascript'>document.location.href='../index.php'</script>\n";
e107::getRedirect()->redirect('admin.php?failed');
e107::getRedirect()->redirect('admin.php?failed');
}
exit;
@ -241,12 +229,15 @@ else
h2 { text-align: center; color: #FAAD3D; }
#username {background: url(".e_IMAGE."admin_images/admins_16.png) no-repeat scroll 7px 9px; padding:7px; padding-left:30px; width:80%; max-width:218px; }
#username { background: url(".e_IMAGE."admin_images/admins_16.png) no-repeat scroll 7px 9px; padding:7px; padding-left:30px; width:80%; max-width:218px; }
#userpass {background: url(".e_IMAGE."admin_images/lock_16.png) no-repeat scroll 7px 9px; padding:7px;padding-left:30px; width:80%; max-width:218px; }
#userpass { background: url(".e_IMAGE."admin_images/lock_16.png) no-repeat scroll 7px 9px; padding:7px;padding-left:30px; width:80%; max-width:218px; }
#code-verify { width: 220px; padding: 7px; margin-left: auto; margin-right: auto; }
input, input:focus,
input:hover { color: rgb(238, 238, 238); background-color: #222222 !important }
input[disabled] { color: silver; }
button[disabled] span { color: silver; }
.title_clean { display:none; }

3
e107_handlers/e107_class.php
View File

@ -3753,9 +3753,8 @@ class e107
$ret = self::includeLan($path);
if(($ret === false) && defset('E107_DEBUG_LEVEL') > 0 && strpos($path, '_global.php') === false )
if(($ret === false) && deftrue('E107_DBG_INCLUDES') && strpos($path, '_global.php') === false )
{
$result = debug_backtrace(DEBUG_BACKTRACE_IGNORE_ARGS, 4);
self::getDebug()->log("Couldn't load: ".$path.print_a($result,true));
}

16
e107_handlers/login.php
View File

@ -45,7 +45,7 @@ class userlogin
protected $userData = array(); // Information for current user
protected $passResult = false; // USed to determine if stored password needs update
protected $testMode = false;
protected $secImageType = 'logcode';
public function __construct()
{
@ -54,6 +54,18 @@ class userlogin
$this->userMethods = e107::getUserSession();
}
public function setSecureImageMode($area)
{
$modes = array(
'admin' => 'admincode',
'login' => 'logcode',
// 'fpw' => '',
);
$this->secImageType = varset($modes[$area],'not-a-pref');
}
/**
# Class called when user attempts to log in
#
@ -161,7 +173,7 @@ class userlogin
$username = preg_replace("/\sOR\s|\=|\#/", "", $username);
// Check secure image
if (!$forceLogin && $pref['logcode'] && extension_loaded('gd'))
if (!$forceLogin && !empty($pref[$this->secImageType]) && extension_loaded('gd'))
{
if ($secImgResult = e107::getSecureImg()->invalidCode($_POST['rand_num'], $_POST['code_verify'])) // Invalid code
{

113
e107_handlers/secure_img_handler.php
View File

@ -16,9 +16,9 @@ class secure_image
protected $HANDLERS_DIRECTORY;
protected $IMAGES_DIRECTORY;
protected $FONTS_DIRECTORY;
protected $THIS_DIR;
protected $BASE_DIR;
public $FONT_COLOR = "90,90,90";
private $secret;
function __construct()
{
@ -29,8 +29,8 @@ class secure_image
return call_user_func($user_func);
}
* */
list($usec, $sec) = explode(" ", microtime());
$this->random_number = str_replace(".", "", $sec.$usec);
$this->createCode();
$this->BASE_DIR = e_BASE;
$CORE_DIRECTORY = e107::getFolder('CORE');
@ -40,74 +40,83 @@ class secure_image
}
/**
* @deprecated Use createCode() instead.
* Legacy version of createCode();
* @return int
*/
public function create_code()
{
return $this->createCode();
}
function create_code()
/**
* Generates a public code and a secret code. Returns the public code.
* @return int
*/
public function createCode()
{
if ($user_func = e107::getOverride()->check($this,'create_code'))
{
return call_user_func($user_func);
}
// $pref = e107::getPref();
// $sql = e107::getDb();
list($usec, $sec) = explode(" ", microtime());
$this->random_number = str_replace(".", "", $sec.$usec);
// mt_srand ((double)microtime() * 1000000);
// $maxran = 1000000;
// $rand_num = mt_rand(0, $maxran);
// $datekey = date("r");
// $rcode = hexdec(md5($_SERVER['HTTP_USER_AGENT'] . serialize($pref). $rand_num . $datekey));
// $code = substr($rcode, 2, 6);
$recnum = $this->random_number;
// $del_time = time()+1200;
$this->secret = e107::getUserSession()->generateRandomString('*****');
$code =e107::getUserSession()->generateRandomString('*****');
e107::getSession('secureImage')->set($this->random_number, $this->secret);
$_SESSION['secure_img'][$recnum] = $code;
return $recnum;
return $this->random_number;
}
/* Return TRUE if code is valid, otherwise return FALSE
*
/**
* The secret code that should be entered by the user. Must be called after createCode();
* @return mixed
*/
function verify_code($recnum, $checkstr)
public function getSecret()
{
return $this->secret;
}
/**
* @deprecated Use invalidCode() instead. Returns true when the code doesn't match.
* Return true if code is valid, otherwise return FALSE
* @param integer $recnum The public code - returned by create_code()
* @param string $checkstr - code entered by the user.
* @return bool|mixed
*/
public function verify_code($recnum, $checkstr)
{
if ($user_func = e107::getOverride()->check($this,'verify_code'))
{
return call_user_func($user_func,$recnum,$checkstr);
}
// $sql = e107::getDb();
// $tp = e107::getParser();
$secret = e107::getSession('secureImage')->get($recnum);
if(!empty($_SESSION['secure_img'][$recnum]) && $_SESSION['secure_img'][$recnum] === $checkstr )
if(!empty($secret) && ($secret === $checkstr))
{
unset($_SESSION['secure_img']);
e107::getSession('secureImage')->clear();
return true;
}
else
{
return false;
}
/*
if ($sql->select("tmp", "tmp_info", "tmp_ip = '".$tp -> toDB($rec_num)."'")) {
$row = $sql->fetch();
$sql->delete("tmp", "tmp_ip = '".$tp -> toDB($rec_num)."'");
//list($code, $path) = explode(",", $row['tmp_info']);
$code = intval($row['tmp_info']);
return ($checkstr == $code);
}
return FALSE;*/
}
// Return an Error message (true) if check fails, otherwise return false.
/**
* Returns an Error message (true) if check fails, otherwise return false.
* @param $rec_num
* @param $checkstr
* @return bool|mixed|string
* @return bool
*/
function invalidCode($rec_num=null, $checkstr=null)
{
@ -125,15 +134,14 @@ class secure_image
return LAN_INVALID_CODE;
}
}
//XXX Discuss - Add more posibilities for themers? e_CAPTCHA_BGIMAGE, e_CAPTCH_WIDTH, e_CAPTCHA_HEIGHT?
/**
* @return mixed|string
* @deprecated Use renderImage() instead.
* @return string
*/
function r_image()
public function r_image()
{
if ($user_func = e107::getOverride()->check($this,'r_image'))
{
@ -149,20 +157,21 @@ class secure_image
$color = 'cccccc';
}
$code = $this->create_code();
return "<img src='".e_IMAGE_ABS."secimg.php?id={$code}&amp;clr={$color}' class='icon secure-image' alt='Missing Code' style='max-width:100%' />";
return "<img src='".e_IMAGE_ABS."secimg.php?id={$this->random_number}&amp;clr={$color}' class='icon secure-image' alt='Missing Code' style='max-width:100%' />";
}
function renderImage() // Alias of r_image
/**
* Return the rendered code/image.
* @return mixed|string
*/
public function renderImage() // Alias of r_image
{
return $this->r_image();
}
function hex2rgb($hex)
private function hex2rgb($hex)
{
$hex = str_replace("#", "", $hex);
@ -186,7 +195,8 @@ class secure_image
/**
* @return mixed|string
* Render the input where the user will enter the code.
* @return string
*/
function renderInput()
{
@ -202,6 +212,7 @@ class secure_image
/**
* Return the label to accompany the input.
* @return mixed|string
*/
function renderLabel()
@ -259,9 +270,9 @@ class secure_image
// $code = intval($row['tmp_info']); // new value
if(isset($_SESSION['secure_img'][$recnum]))
if($tmp = e107::getSession('secureImage')->get($recnum))
{
$code = $_SESSION['secure_img'][$recnum];
$code = $tmp;
}
else
{
@ -433,7 +444,7 @@ class secure_image
}
function imageCreateTransparent($x, $y)
private function imageCreateTransparent($x, $y)
{
$imageOut = imagecreatetruecolor($x, $y);
$backgroundColor = imagecolorallocatealpha($imageOut, 0, 0, 0, 127);

6
e107_handlers/user_model.php
View File

@ -1785,6 +1785,12 @@ class e_user extends e_user_model
}
$userlogin = new userlogin();
if(e_PAGE === 'admin.php')
{
$userlogin->setSecureImageMode('admin'); // use the admin secure code pref.
}
$loginSuccess = $userlogin->login($uname, $upass_plain, $uauto, $uchallange, $noredirect);
$userdata = $userlogin->getUserData();

6
e107_images/secimg.php
View File

@ -47,16 +47,15 @@ if(!isset($mySQLserver))
// require_once(realpath(e_BASE.$HANDLERS_DIRECTORY.DIRECTORY_SEPARATOR."secure_img_handler.php"));
require_once(e_HANDLER."secure_img_handler.php");
$sim = e107::getSecureImg();
$sim = new secure_image();
if(!isset($_GET['id']))
{
exit;
}
$code = $_GET['id'];
$code = (int) $_GET['id'];
if(!empty($_GET['clr']) && preg_match('/^[a-f0-9]{6}$/i', $_GET['clr'])) //hex color is valid
{
@ -72,4 +71,3 @@ $sim->render($code,$color);
exit;
?>

111
e107_tests/tests/unit/secure_imageTest.php Normal file
View File

@ -0,0 +1,111 @@
<?php
class secure_imageTest extends \Codeception\Test\Unit
{
/** @var secure_image */
protected $si;
protected function _before()
{
try
{
$this->si = e107::getSecureImg();
}
catch(Exception $e)
{
$this->assertTrue(false, $e->getMessage());
}
}
public function testCodeAndVerify()
{
$code = $this->si->create_code();
$this->si->renderImage();
$this->si->renderInput();
$secret = $this->si->getSecret();
$result = $this->si->invalidCode($code, $secret);
$this->assertFalse($result);
$code = $this->si->create_code(); // code above is destroyed upon successful match.
$secret = $this->si->getSecret();
$result = $this->si->verify_code($code, $secret);
$this->assertTrue($result);
$code = $this->si->create_code();
$result = $this->si->invalidCode($code, 'bad code');
$this->assertSame('Incorrect code entered.', $result);
$result = $this->si->verify_code($code, 'bad code');
$this->assertFalse($result);
}
/*
public function testInvalidCode()
{
}
public function testRenderImage()
{
}
public function testCreate_code()
{
}
public function testHex2rgb()
{
}
public function testRender()
{
}
public function testRenderLabel()
{
}
public function test__construct()
{
}
public function testR_image()
{
}
public function testRenderInput()
{
}
public function testVerify_code()
{
}
public function testImageCreateTransparent()
{
}
*/
}