kashire
/
lainchan
4
0
Bifurcation 0
Code Tickets 0 Demandes d'ajout 0 Versions 26 Wiki Activité
The version of vichan running on lainchan.org
Vous ne pouvez pas sélectionner plus de 25 sujets Les noms de sujets doivent commencer par une lettre ou un nombre, peuvent contenir des tirets ('-') et peuvent comporter jusqu'à 35 caractères.
4009 Révisions
3 Branches
120MB
Aborescence: a3b9c4405c
Branches Tags
${ item.name }
Créer la branche ${ searchTerm }
de 'a3b9c4405c'
${ noResults }
lainchan/inc/mod/auth.php

216 lignes
6.3KB
Brut Annotations Historique 

  1. <?php

  2. 

  3. /*

  4.  *  Copyright (c) 2010-2013 Tinyboard Development Group

  5.  */

  6. 

  7. defined('TINYBOARD') or exit;

  8. 

  9. // create a hash/salt pair for validate logins

  10. function mkhash($username, $password, $salt = false) {

  11. 	global $config;

  12. 	

  13. 	if (!$salt) {

  14. 		// create some sort of salt for the hash

  15. 		$salt = substr(base64_encode(sha1(rand() . time(), true) . $config['cookies']['salt']), 0, 15);

  16. 		

  17. 		$generated_salt = true;

  18. 	}

  19. 	

  20. 	// generate hash (method is not important as long as it's strong)

  21. 	$hash = substr(

  22. 		base64_encode(

  23. 			md5(

  24. 				$username . $config['cookies']['salt'] . sha1(

  25. 					$username . $password . $salt . (

  26. 						$config['mod']['lock_ip'] ? $_SERVER['REMOTE_ADDR'] : ''

  27. 					), true

  28. 				) . sha1($config['password_crypt_version']) // Log out users being logged in with older password encryption schema

  29. 				, true

  30. 			)

  31. 		), 0, 20

  32. 	);

  33. 	

  34. 	if (isset($generated_salt))

  35. 		return array($hash, $salt);

  36. 	else

  37. 		return $hash;

  38. }

  39. 

  40. function crypt_password_old($password) {

  41. 	$salt = generate_salt();

  42. 	$password = hash('sha256', $salt . sha1($password));

  43. 	return array($salt, $password);

  44. }

  45. 

  46. function crypt_password($password) {

  47. 	global $config;

  48. 	// `salt` database field is reused as a version value. We don't want it to be 0.

  49. 	$version = $config['password_crypt_version'] ? $config['password_crypt_version'] : 1;

  50. 	$new_salt = generate_salt();

  51. 	$password = crypt($password, $config['password_crypt'] . $new_salt . "$");

  52. 	return array($version, $password);

  53. }

  54. 

  55. function test_password($password, $salt, $test) {

  56. 	global $config;

  57. 

  58. 	// Version = 0 denotes an old password hashing schema. In the same column, the

  59. 	// password hash was kept previously

  60. 	$version = (strlen($salt) <= 8) ? (int) $salt : 0;

  61. 

  62. 	if ($version == 0) {

  63. 		$comp = hash('sha256', $salt . sha1($test));

  64. 	}

  65. 	else {

  66. 		$comp = crypt($test, $password);

  67. 	}

  68. 	return array($version, hash_equals($password, $comp));

  69. }

  70. 

  71. function generate_salt() {

  72. 	// 128 bits of entropy

  73. 	return strtr(base64_encode(mcrypt_create_iv(16, MCRYPT_DEV_URANDOM)), '+', '.');

  74. }

  75. 

  76. function login($username, $password) {

  77. 	global $mod, $config;

  78. 	

  79. 	$query = prepare("SELECT `id`, `type`, `boards`, `password`, `version` FROM ``mods`` WHERE BINARY `username` = :username");

  80. 	$query->bindValue(':username', $username);

  81. 	$query->execute() or error(db_error($query));

  82. 	

  83. 	if ($user = $query->fetch(PDO::FETCH_ASSOC)) {

  84. 		list($version, $ok) = test_password($user['password'], $user['version'], $password);

  85. 

  86. 		if ($ok) {

  87. 			if ($config['password_crypt_version'] > $version) {

  88. 				// It's time to upgrade the password hashing method!

  89. 				list ($user['version'], $user['password']) = crypt_password($password);

  90. 				$query = prepare("UPDATE ``mods`` SET `password` = :password, `version` = :version WHERE `id` = :id");

  91. 				$query->bindValue(':password', $user['password']);

  92. 				$query->bindValue(':version', $user['version']);

  93. 				$query->bindValue(':id', $user['id']);

  94. 				$query->execute() or error(db_error($query));

  95. 			}

  96. 

  97. 			return $mod = array(

  98. 				'id' => $user['id'],

  99. 				'type' => $user['type'],

  100. 				'username' => $username,

  101. 				'hash' => mkhash($username, $user['password']),

  102. 				'boards' => explode(',', $user['boards'])

  103. 			);

  104. 		}

  105. 	}

  106. 	

  107. 	return false;

  108. }

  109. 

  110. function setCookies() {

  111. 	global $mod, $config;

  112. 	if (!$mod)

  113. 		error('setCookies() was called for a non-moderator!');

  114. 	

  115. 	setcookie($config['cookies']['mod'],

  116. 			$mod['username'] . // username

  117. 			':' . 

  118. 			$mod['hash'][0] . // password

  119. 			':' .

  120. 			$mod['hash'][1], // salt

  121. 		time() + $config['cookies']['expire'], $config['cookies']['jail'] ? $config['cookies']['path'] : '/', null, !empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] != 'off', $config['cookies']['httponly']);

  122. }

  123. 

  124. function destroyCookies() {

  125. 	global $config;

  126. 	// Delete the cookies

  127. 	setcookie($config['cookies']['mod'], 'deleted', time() - $config['cookies']['expire'], $config['cookies']['jail']?$config['cookies']['path'] : '/', null, !empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] != 'off', true);

  128. }

  129. 

  130. function modLog($action, $_board=null) {

  131. 	global $mod, $board, $config;

  132. 	$query = prepare("INSERT INTO ``modlogs`` VALUES (:id, :ip, :board, :time, :text)");

  133. 	$query->bindValue(':id', (isset($mod['id']) ? $mod['id'] : -1), PDO::PARAM_INT);

  134. 	$query->bindValue(':ip', $_SERVER['REMOTE_ADDR']);

  135. 	$query->bindValue(':time', time(), PDO::PARAM_INT);

  136. 	$query->bindValue(':text', $action);

  137. 	if (isset($_board))

  138. 		$query->bindValue(':board', $_board);

  139. 	elseif (isset($board))

  140. 		$query->bindValue(':board', $board['uri']);

  141. 	else

  142. 		$query->bindValue(':board', null, PDO::PARAM_NULL);

  143. 	$query->execute() or error(db_error($query));

  144. 	

  145. 	if ($config['syslog'])

  146. 		_syslog(LOG_INFO, '[mod/' . $mod['username'] . ']: ' . $action);

  147. }

  148. 

  149. function create_pm_header() {

  150. 	global $mod, $config;

  151. 	

  152. 	if ($config['cache']['enabled'] && ($header = cache::get('pm_unread_' . $mod['id'])) != false) {

  153. 		if ($header === true)

  154. 			return false;

  155. 	

  156. 		return $header;

  157. 	}

  158. 	

  159. 	$query = prepare("SELECT `id` FROM ``pms`` WHERE `to` = :id AND `unread` = 1");

  160. 	$query->bindValue(':id', $mod['id'], PDO::PARAM_INT);

  161. 	$query->execute() or error(db_error($query));

  162. 	

  163. 	if ($pm = $query->fetch(PDO::FETCH_ASSOC))

  164. 		$header = array('id' => $pm['id'], 'waiting' => $query->rowCount() - 1);

  165. 	else

  166. 		$header = true;

  167. 	

  168. 	if ($config['cache']['enabled'])

  169. 		cache::set('pm_unread_' . $mod['id'], $header);

  170. 	

  171. 	if ($header === true)

  172. 		return false;

  173. 	

  174. 	return $header;

  175. }

  176. 

  177. function make_secure_link_token($uri) {

  178. 	global $mod, $config;

  179. 	return substr(sha1($config['cookies']['salt'] . '-' . $uri . '-' . $mod['id']), 0, 8);

  180. }

  181. 

  182. function check_login($prompt = false) {

  183. 	global $config, $mod;

  184. 	// Validate session

  185. 	if (isset($_COOKIE[$config['cookies']['mod']])) {

  186. 		// Should be username:hash:salt

  187. 		$cookie = explode(':', $_COOKIE[$config['cookies']['mod']]);

  188. 		if (count($cookie) != 3) {

  189. 			// Malformed cookies

  190. 			destroyCookies();

  191. 			if ($prompt) mod_login();

  192. 			exit;

  193. 		}

  194. 		

  195. 		$query = prepare("SELECT `id`, `type`, `boards`, `password` FROM ``mods`` WHERE `username` = :username");

  196. 		$query->bindValue(':username', $cookie[0]);

  197. 		$query->execute() or error(db_error($query));

  198. 		$user = $query->fetch(PDO::FETCH_ASSOC);

  199. 		

  200. 		// validate password hash

  201. 		if ($cookie[1] !== mkhash($cookie[0], $user['password'], $cookie[2])) {

  202. 			// Malformed cookies

  203. 			destroyCookies();

  204. 			if ($prompt) mod_login();

  205. 			exit;

  206. 		}

  207. 		

  208. 		$mod = array(

  209. 			'id' => $user['id'],

  210. 			'type' => $user['type'],

  211. 			'username' => $cookie[0],

  212. 			'boards' => explode(',', $user['boards'])

  213. 		);

  214. 	}

  215. }