Project

General

Profile

Bug #18009 » t3lib_userauth_r2944.diff

Administrator Admin, 2008-01-25 13:05

View differences:

t3lib/class.t3lib_userauth.php (working copy)
var $formfield_uident = ''; // formfield with password
var $formfield_chalvalue = ''; // formfield with a unique value which is used to encrypt the password and username
var $formfield_status = ''; // formfield with status: *'login', 'logout'. If empty login is not verified.
var $security_level = 'normal'; // sets the level of security. *'normal' = clear-text. 'challenged' = hashed password/username from form in $formfield_uident. 'superchallenged' = hashed password hashed again with username.
var $security_level = ''; // sets the level of security. *'normal' = clear-text. 'challenged' = hashed password/username from form in $formfield_uident. 'superchallenged' = hashed password hashed again with username.
var $auth_include = ''; // this is the name of the include-file containing the login form. If not set, login CAN be anonymous. If set login IS needed.
......
// backend or frontend login - used for auth services
$this->loginType = ($this->name=='fe_typo_user') ? 'FE' : 'BE';
// set level to normal if not already set
$this->security_level = $this->security_level ? $this->security_level : 'normal';
// set level to normal if not already set
if (!$this->security_level) {
if ($TYPO3_CONF_VARS[$this->loginType]['loginSecurityLevel']) {
$this->security_level = $TYPO3_CONF_VARS[$this->loginType]['loginSecurityLevel'];
} else {
$this->security_level = 'normal';
}
}
// enable dev logging if set
if ($TYPO3_CONF_VARS['SC_OPTIONS']['t3lib/class.t3lib_userauth.php']['writeDevLog']) $this->writeDevLog = TRUE;
......
* @internal
*/
function processLoginData($loginData, $security_level='') {
global $TYPO3_CONF_VARS;
$loginSecurityLevel = $security_level ? $security_level : ($TYPO3_CONF_VARS[$this->loginType]['loginSecurityLevel'] ? $TYPO3_CONF_VARS[$this->loginType]['loginSecurityLevel'] : $this->security_level);
$loginSecurityLevel = $security_level ? $security_level : $this->security_level;
// Processing data according to the state it was submitted in.
// ($loginSecurityLevel should reflect the security level used on the data being submitted in the login form)
if ($loginSecurityLevel=='normal') {
$loginData['uident_text'] = $loginData['uident'];
$loginData['uident_challenged'] = (string)md5($loginData['uname'].':'.$loginData['uident'].':'.$loginData['chalvalue']);
$loginData['uident_superchallenged'] = (string)md5($loginData['uname'].':'.(md5($loginData['uident'])).':'.$loginData['chalvalue']);
$loginData['uident'] = $loginData['uident_text'];
} elseif ($loginSecurityLevel=='challenged') {
$loginData['uident_text'] = '';
$loginData['uident_challenged'] = $loginData['uident'];
$loginData['uident_superchallenged'] = '';
$loginData['uident'] = $loginData['uident_challenged'];
} elseif ($loginSecurityLevel=='superchallenged') {
$loginData['uident_text'] = '';
$loginData['uident_challenged'] = '';
$loginData['uident_superchallenged'] = $loginData['uident'];
}
// The password "uident" is set based on the internal security setting of TYPO3
// Example:
// $this->security_level for the backend must be "superchallenged" because passwords are stored as md5-hashes in the be_users table
// $this->security_level for the frontend must be "normal" or "challenged" because passwords are stored as clear-text in the fe_users tables
if ($this->security_level=='normal') {
$loginData['uident'] = $loginData['uident_text'];
} elseif ($this->security_level=='challenged') {
$loginData['uident'] = $loginData['uident_challenged'];
} elseif ($this->security_level=='superchallenged') {
$loginData['uident'] = $loginData['uident_superchallenged'];
}
return $loginData;
}
......
switch ($security_level) {
case 'superchallenged': // If superchallenged the password in the database ($user[$this->userident_column]) must be a md5-hash of the original password.
$F_chalvalue = $loginData['chalvalue'];
if (strlen($F_chalvalue)) {
$res = $GLOBALS['TYPO3_DB']->exec_SELECTquery('count(*) as count', 'tx_felogin_challenge', 'challenge='.$GLOBALS['TYPO3_DB']->fullQuoteStr($F_chalvalue, 'tx_felogin_challenge'));
$row = $GLOBALS['TYPO3_DB']->sql_fetch_assoc($res);
$cnt = $row['count'];
// If we don't find this challenge in the database it's invalid
if (!$cnt) {
if ($this->writeDevLog) t3lib_div::devLog('Table stored superchallenge-Code did not match submitted challenge "'.$loginData['chalvalue'].'" , so authentication failed!', 't3lib_userAuth', 2);
$this->logoff();
return FALSE;
} else {
$GLOBALS['TYPO3_DB']->exec_DELETEquery('tx_felogin_challenge', 'challenge='.$GLOBALS['TYPO3_DB']->fullQuoteStr($F_chalvalue, 'tx_felogin_challenge'));
}
}
else {
if ($this->writeDevLog) t3lib_div::devLog('No chalvalue found, so authentication failed!', 't3lib_userAuth', 2);
$this->logoff();
return FALSE;
}
case 'challenged':
// Check challenge stored in cookie:
(3-3/3)