0015673_v2_43.patch

Administrator Admin, 2010-09-09 14:49

Download (4.4 KB)

View differences:

t3lib/class.t3lib_beuserauth.php (Arbeitskopie)
371 371
	 * @return	string
372 372
	 */
373 373
	function veriCode()	{
374
		return substr(md5($this->id.$GLOBALS['TYPO3_CONF_VARS']['SYS']['encryptionKey']),0,10);
374
		return substr(md5($this->getIdHash . $GLOBALS['TYPO3_CONF_VARS']['SYS']['encryptionKey']), 0, 10);
375 375
	}
376 376

  
377 377

  
......
393 393
				$dbres = $GLOBALS['TYPO3_DB']->exec_SELECTquery(
394 394
						'*',
395 395
						$this->session_table.','.$this->user_table,
396
						$this->session_table.'.ses_id = '.$GLOBALS['TYPO3_DB']->fullQuoteStr($this->id, $this->session_table).'
396
						'MD5(' . $this->session_table.'.ses_id) = '.$GLOBALS['TYPO3_DB']->fullQuoteStr($this->getIdHash(), $this->session_table).'
397 397
							AND '.$this->session_table.'.ses_name = '.$GLOBALS['TYPO3_DB']->fullQuoteStr($this->name, $this->session_table).'
398 398
							AND '.$this->session_table.'.ses_userid = '.$this->user_table.'.'.$this->userid_column.'
399 399
							'.$this->ipLockClause().'
t3lib/class.t3lib_userauth.php (Arbeitskopie)
157 157

  
158 158
		// Internals
159 159
	var $id;							// Internal: Will contain session_id (MD5-hash)
160
	protected $idHash;					// Internal: MD5 hash of the session id, used in combination with veriCode (vC)
160 161
	var $cookieId;						// Internal: Will contain the session_id gotten from cookie or GET method. This is used in statistics as a reliable cookie (one which is known to come from $_COOKIE).
161 162
	var $loginFailure = FALSE;			// Indicates if an authentication was started but failed
162 163
	var $loginSessionStarted = FALSE;	// Will be set to true if the login session is actually written during auth-check.
......
769 770
		$dbres = $this->fetchUserSessionFromDB();
770 771

  
771 772
		if ($dbres && $user = $GLOBALS['TYPO3_DB']->sql_fetch_assoc($dbres)) {
773
				// Set session id if not set (authorized by idHash and veriCode):
774
			if (!$this->id) {
775
				$this->id = $user['ses_id'];
776
			}
777

  
772 778
				// A user was found
773 779
			if (is_string($this->auth_timeout_field))	{
774 780
				$timeout = intval($user[$this->auth_timeout_field]);		// Get timeout-time from usertable
......
944 950
	}
945 951

  
946 952
	/**
953
	 * Gets the current idHash.
954
	 *
955
	 * @return string
956
	 */
957
	public function getIdHash() {
958
		if (!isset($this->idHash)) {
959
			$idHash = t3lib_div::_GP('idHash');
960
			$this->idHash = ($idHash ? $idHash : md5($this->id));
961
		}
962

  
963
		return $this->idHash;
964
	}
965

  
966
	/**
947 967
	 * This returns the where-clause needed to lock a user to a hash integer
948 968
	 *
949 969
	 * @return	string
typo3/js/flashupload.js (Arbeitskopie)
280 280
			swfConfig.post_params            = Ext.value(this.uploadPostParams, this.swfDefaultConfig.post_params);
281 281
			// add the veriCode from the backend.php to verify the session with the flash client
282 282
			swfConfig.post_params.vC         = top.TS.veriCode;
283
			swfConfig.post_params.idHash     = top.TS.idHash;
283 284
			swfConfig.file_types_description = Ext.value(this.uploadFileTypesDescription, this.swfDefaultConfig.file_types_description);
284 285
			this.setFileTypeRestrictions(this.uploadFileTypes);
285 286
			return swfConfig;
typo3/backend.php (Arbeitskopie)
361 361
			'condensedMode' => $GLOBALS['BE_USER']->uc['condensedMode'] ? 1 : 0 ,
362 362
			'workspaceFrontendPreviewEnabled' => $GLOBALS['BE_USER']->workspace != 0 && !$GLOBALS['BE_USER']->user['workspace_preview'] ? 0 : 1,
363 363
			'veriCode' => $GLOBALS['BE_USER']->veriCode(),
364
			'idHash' => $GLOBALS['BE_USER']->getIdHash(),
364 365
			'denyFileTypes' => PHP_EXTENSIONS_DEFAULT,
365 366
			'showRefreshLoginPopup' => isset($GLOBALS['TYPO3_CONF_VARS']['BE']['showRefreshLoginPopup']) ? intval($GLOBALS['TYPO3_CONF_VARS']['BE']['showRefreshLoginPopup']) : FALSE,
366 367
		);
......
442 443
		this.navFrameWidth = 0;
443 444
		this.securityLevel = TYPO3.configuration.securityLevel;
444 445
		this.veriCode = TYPO3.configuration.veriCode;
446
		this.idHash = TYPO3.configuration.idHash;
445 447
		this.denyFileTypes = TYPO3.configuration.denyFileTypes;
446 448
	}
447 449
	var TS = new typoSetup();