makary/phpbb
1
0
Fork 0
mirror of https://github.com/phpbb/phpbb.git synced 2025-06-28 14:18:52 +00:00
Code Issues Projects Releases Packages Wiki Activity

#i41

Browse source 
(basically do not allow autocompletion for admin re-authentication)


git-svn-id: file:///svn/phpbb/trunk@8126 89ea8834-ac86-4346-8a33-228a782c2dd0
This commit is contained in:
Meik Sievertsen 2007-10-03 17:47:58 +00:00
parent cfe004f2a2
commit 7a942662d9
3 changed files with 46 additions and 10 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

44
phpBB/includes/functions.php
View file

@ -2170,8 +2170,28 @@ function login_box($redirect = '', $l_explain = '', $l_success = '', $admin = fa
if (isset($_POST['login'])) if (isset($_POST['login']))
{ {
// Get credential
if ($admin)
{
$credential = request_var('credential', '');
if (strspn($credential, 'abcdef0123456789') !== strlen($credential) || strlen($credential) != 32)
{
if ($user->data['is_registered'])
{
add_log('admin', 'LOG_ADMIN_AUTH_FAIL');
}
trigger_error('NO_AUTH_ADMIN');
}
$password = request_var('password_' . $credential, '', true);
}
else
{
$password = request_var('password', '', true);
}
$username = request_var('username', '', true); $username = request_var('username', '', true);
$password = request_var('password', '', true);
$autologin = (!empty($_POST['autologin'])) ? true : false; $autologin = (!empty($_POST['autologin'])) ? true : false;
$viewonline = (!empty($_POST['viewonline'])) ? 0 : 1; $viewonline = (!empty($_POST['viewonline'])) ? 0 : 1;
$admin = ($admin) ? 1 : 0; $admin = ($admin) ? 1 : 0;
@ -2310,7 +2330,20 @@ function login_box($redirect = '', $l_explain = '', $l_success = '', $admin = fa
$redirect .= $user->page['page_name'] . (($user->page['query_string']) ? '?' . htmlspecialchars($user->page['query_string']) : ''); $redirect .= $user->page['page_name'] . (($user->page['query_string']) ? '?' . htmlspecialchars($user->page['query_string']) : '');
} }
$s_hidden_fields = build_hidden_fields(array('redirect' => $redirect, 'sid' => $user->session_id)); // Assign credential for username/password pair
$credential = ($admin) ? md5(unique_id()) : false;
$s_hidden_fields = array(
'redirect' => $redirect,
'sid' => $user->session_id,
);
if ($admin)
{
$s_hidden_fields['credential'] = $credential;
}
$s_hidden_fields = build_hidden_fields($s_hidden_fields);
$template->assign_vars(array( $template->assign_vars(array(
'LOGIN_ERROR' => $err, 'LOGIN_ERROR' => $err,
@ -2326,8 +2359,11 @@ function login_box($redirect = '', $l_explain = '', $l_success = '', $admin = fa
'S_HIDDEN_FIELDS' => $s_hidden_fields, 'S_HIDDEN_FIELDS' => $s_hidden_fields,
'S_ADMIN_AUTH' => $admin, 'S_ADMIN_AUTH' => $admin,
'USERNAME' => ($admin) ? $user->data['username'] : '') 'USERNAME' => ($admin) ? $user->data['username'] : '',
);
'USERNAME_CREDENTIAL' => 'username',
'PASSWORD_CREDENTIAL' => ($admin) ? 'password_' . $credential : 'password',
));
page_header($user->lang['LOGIN']); page_header($user->lang['LOGIN']);

8
phpBB/styles/prosilver/template/login_body.html
View file

@ -11,12 +11,12 @@
<fieldset <!-- IF not S_CONFIRM_CODE -->class="fields1"<!-- ELSE -->class="fields2"<!-- ENDIF -->> <fieldset <!-- IF not S_CONFIRM_CODE -->class="fields1"<!-- ELSE -->class="fields2"<!-- ENDIF -->>
<!-- IF LOGIN_ERROR --><div class="error">{LOGIN_ERROR}</div><!-- ENDIF --> <!-- IF LOGIN_ERROR --><div class="error">{LOGIN_ERROR}</div><!-- ENDIF -->
<dl> <dl>
<dt><label for="username">{L_USERNAME}:</label></dt> <dt><label for="{USERNAME_CREDENTIAL}">{L_USERNAME}:</label></dt>
<dd><input type="text" tabindex="1" name="username" id="username" size="25" value="{USERNAME}" class="inputbox autowidth" /></dd> <dd><input type="text" tabindex="1" name="{USERNAME_CREDENTIAL}" id="{USERNAME_CREDENTIAL}" size="25" value="{USERNAME}" class="inputbox autowidth" /></dd>
</dl> </dl>
<dl> <dl>
<dt><label for="password">{L_PASSWORD}:</label></dt> <dt><label for="{PASSWORD_CREDENTIAL}">{L_PASSWORD}:</label></dt>
<dd><input type="password" tabindex="2" id="password" name="password" size="25" class="inputbox autowidth" /></dd> <dd><input type="password" tabindex="2" id="{PASSWORD_CREDENTIAL}" name="{PASSWORD_CREDENTIAL}" size="25" class="inputbox autowidth" /></dd>
<!-- IF S_DISPLAY_FULL_LOGIN and (U_SEND_PASSWORD or U_RESEND_ACTIVATION) --> <!-- IF S_DISPLAY_FULL_LOGIN and (U_SEND_PASSWORD or U_RESEND_ACTIVATION) -->
<!-- IF U_SEND_PASSWORD --><dd><a href="{U_SEND_PASSWORD}">{L_FORGOT_PASS}</a></dd><!-- ENDIF --> <!-- IF U_SEND_PASSWORD --><dd><a href="{U_SEND_PASSWORD}">{L_FORGOT_PASS}</a></dd><!-- ENDIF -->
<!-- IF U_RESEND_ACTIVATION --><dd><a href="{U_RESEND_ACTIVATION}">{L_RESEND_ACTIVATION}</a></dd><!-- ENDIF --> <!-- IF U_RESEND_ACTIVATION --><dd><a href="{U_RESEND_ACTIVATION}">{L_RESEND_ACTIVATION}</a></dd><!-- ENDIF -->

4
phpBB/styles/subsilver2/template/login_body.html
View file

@ -35,7 +35,7 @@
<tr> <tr>
<td valign="top" <!-- IF S_ADMIN_AUTH -->style="width: 50%; text-align: {S_CONTENT_FLOW_END};"<!-- ENDIF -->><b class="gensmall">{L_USERNAME}:</b></td> <td valign="top" <!-- IF S_ADMIN_AUTH -->style="width: 50%; text-align: {S_CONTENT_FLOW_END};"<!-- ENDIF -->><b class="gensmall">{L_USERNAME}:</b></td>
<td><input class="post" type="text" name="username" size="25" value="{USERNAME}" tabindex="1" /> <td><input class="post" type="text" name="{USERNAME_CREDENTIAL}" size="25" value="{USERNAME}" tabindex="1" />
<!-- IF not S_ADMIN_AUTH --> <!-- IF not S_ADMIN_AUTH -->
<br /><a class="gensmall" href="{U_REGISTER}">{L_REGISTER}</a> <br /><a class="gensmall" href="{U_REGISTER}">{L_REGISTER}</a>
<!-- ENDIF --> <!-- ENDIF -->
@ -44,7 +44,7 @@
<tr> <tr>
<td valign="top" <!-- IF S_ADMIN_AUTH -->style="width: 50%; text-align: {S_CONTENT_FLOW_END};"<!-- ENDIF -->><b class="gensmall">{L_PASSWORD}:</b></td> <td valign="top" <!-- IF S_ADMIN_AUTH -->style="width: 50%; text-align: {S_CONTENT_FLOW_END};"<!-- ENDIF -->><b class="gensmall">{L_PASSWORD}:</b></td>
<td> <td>
<input class="post" type="password" name="password" size="25" tabindex="2" /> <input class="post" type="password" name="{PASSWORD_CREDENTIAL}" size="25" tabindex="2" />
<!-- IF U_SEND_PASSWORD --><br /><a class="gensmall" href="{U_SEND_PASSWORD}">{L_FORGOT_PASS}</a><!-- ENDIF --> <!-- IF U_SEND_PASSWORD --><br /><a class="gensmall" href="{U_SEND_PASSWORD}">{L_FORGOT_PASS}</a><!-- ENDIF -->
<!-- IF U_RESEND_ACTIVATION and not S_ADMIN_AUTH --><br /><a class="gensmall" href="{U_RESEND_ACTIVATION}">{L_RESEND_ACTIVATION}</a><!-- ENDIF --> <!-- IF U_RESEND_ACTIVATION and not S_ADMIN_AUTH --><br /><a class="gensmall" href="{U_RESEND_ACTIVATION}">{L_RESEND_ACTIVATION}</a><!-- ENDIF -->
</td> </td>