Project

General

Profile

Bug #23521 » 0015673_v2_43.patch

Administrator Admin, 2010-09-09 14:49

View differences:

t3lib/class.t3lib_beuserauth.php (Arbeitskopie)
* @return string
*/
function veriCode() {
return substr(md5($this->id.$GLOBALS['TYPO3_CONF_VARS']['SYS']['encryptionKey']),0,10);
return substr(md5($this->getIdHash . $GLOBALS['TYPO3_CONF_VARS']['SYS']['encryptionKey']), 0, 10);
}
......
$dbres = $GLOBALS['TYPO3_DB']->exec_SELECTquery(
'*',
$this->session_table.','.$this->user_table,
$this->session_table.'.ses_id = '.$GLOBALS['TYPO3_DB']->fullQuoteStr($this->id, $this->session_table).'
'MD5(' . $this->session_table.'.ses_id) = '.$GLOBALS['TYPO3_DB']->fullQuoteStr($this->getIdHash(), $this->session_table).'
AND '.$this->session_table.'.ses_name = '.$GLOBALS['TYPO3_DB']->fullQuoteStr($this->name, $this->session_table).'
AND '.$this->session_table.'.ses_userid = '.$this->user_table.'.'.$this->userid_column.'
'.$this->ipLockClause().'
t3lib/class.t3lib_userauth.php (Arbeitskopie)
// Internals
var $id; // Internal: Will contain session_id (MD5-hash)
protected $idHash; // Internal: MD5 hash of the session id, used in combination with veriCode (vC)
var $cookieId; // Internal: Will contain the session_id gotten from cookie or GET method. This is used in statistics as a reliable cookie (one which is known to come from $_COOKIE).
var $loginFailure = FALSE; // Indicates if an authentication was started but failed
var $loginSessionStarted = FALSE; // Will be set to true if the login session is actually written during auth-check.
......
$dbres = $this->fetchUserSessionFromDB();
if ($dbres && $user = $GLOBALS['TYPO3_DB']->sql_fetch_assoc($dbres)) {
// Set session id if not set (authorized by idHash and veriCode):
if (!$this->id) {
$this->id = $user['ses_id'];
}
// A user was found
if (is_string($this->auth_timeout_field)) {
$timeout = intval($user[$this->auth_timeout_field]); // Get timeout-time from usertable
......
}
/**
* Gets the current idHash.
*
* @return string
*/
public function getIdHash() {
if (!isset($this->idHash)) {
$idHash = t3lib_div::_GP('idHash');
$this->idHash = ($idHash ? $idHash : md5($this->id));
}
return $this->idHash;
}
/**
* This returns the where-clause needed to lock a user to a hash integer
*
* @return string
typo3/js/flashupload.js (Arbeitskopie)
swfConfig.post_params = Ext.value(this.uploadPostParams, this.swfDefaultConfig.post_params);
// add the veriCode from the backend.php to verify the session with the flash client
swfConfig.post_params.vC = top.TS.veriCode;
swfConfig.post_params.idHash = top.TS.idHash;
swfConfig.file_types_description = Ext.value(this.uploadFileTypesDescription, this.swfDefaultConfig.file_types_description);
this.setFileTypeRestrictions(this.uploadFileTypes);
return swfConfig;
typo3/backend.php (Arbeitskopie)
'condensedMode' => $GLOBALS['BE_USER']->uc['condensedMode'] ? 1 : 0 ,
'workspaceFrontendPreviewEnabled' => $GLOBALS['BE_USER']->workspace != 0 && !$GLOBALS['BE_USER']->user['workspace_preview'] ? 0 : 1,
'veriCode' => $GLOBALS['BE_USER']->veriCode(),
'idHash' => $GLOBALS['BE_USER']->getIdHash(),
'denyFileTypes' => PHP_EXTENSIONS_DEFAULT,
'showRefreshLoginPopup' => isset($GLOBALS['TYPO3_CONF_VARS']['BE']['showRefreshLoginPopup']) ? intval($GLOBALS['TYPO3_CONF_VARS']['BE']['showRefreshLoginPopup']) : FALSE,
);
......
this.navFrameWidth = 0;
this.securityLevel = TYPO3.configuration.securityLevel;
this.veriCode = TYPO3.configuration.veriCode;
this.idHash = TYPO3.configuration.idHash;
this.denyFileTypes = TYPO3.configuration.denyFileTypes;
}
var TS = new typoSetup();
(4-4/5)