Project

General

Profile

Download (16.3 KB)

Feature #18039 » felogin-trunk2944.diff

Administrator Admin, 2008-01-22 16:59

View differences:

typo3/sysext/felogin/ext_localconf.php (working copy)
t3lib_extMgm::addTypoScript($_EXTKEY,'setup','# Setting '.$_EXTKEY.' plugin TypoScript'.$addLine.'',43);
if ($TYPO3_CONF_VARS['FE']['passwordType'] == 'md5' && $TYPO3_CONF_VARS['FE']['loginSecurityLevel'] == 'superchallenged') {
t3lib_extMgm::addService($_EXTKEY, 'auth' /* sv type */, 'tx_felogin' /* sv key */,
array(
//activate support for kb_md5fepw
if (t3lib_extMgm::isLoaded('kb_md5fepw') && (TYPO3_MODE == 'FE')) {
$GLOBALS ['TYPO3_CONF_VARS']['EXTCONF']['felogin']['loginFormOnSubmitFuncs'][] = 'tx_kbmd5fepw_newloginbox->loginFormOnSubmit';
require_once(t3lib_extMgm::extPath('kb_md5fepw').'pi1/class.tx_kbmd5fepw_newloginbox.php');
}
'title' => 'FE MD5 authentication with superchallenge',
'description' => 'Performs the server side part of the challenge response authentication.',
'subtype' => 'authUserFE',
'available' => true,
'priority' => 70,
'quality' => 70,
'os' => '',
'exec' => '',
'classFile' => t3lib_extMgm::extPath($_EXTKEY).'sv1/class.tx_felogin_sv1.php',
'className' => 'tx_felogin_sv1',
)
);
?>
typo3/sysext/felogin/ext_tables.sql (working copy)
#
# Table structure for table 'fe_groups'
#
CREATE TABLE fe_groups (
felogin_redirectPid tinytext
);
#
# Table structure for table 'fe_users'
#
CREATE TABLE fe_users (
felogin_redirectPid tinytext
);
#
# Table structure for table 'fe_groups'
#
CREATE TABLE fe_groups (
felogin_redirectPid tinytext
);
#
# Table structure for table 'fe_users'
#
CREATE TABLE fe_users (
felogin_redirectPid tinytext
);
CREATE TABLE tx_felogin_challenge (
challenge varchar(100) DEFAULT '' NOT NULL,
tstamp int(11) DEFAULT '0' NOT NULL,
PRIMARY KEY (challenge)
);
typo3/sysext/felogin/pi1/class.tx_felogin_pi1.php (working copy)
$onSubmit = implode('; ', $onSubmitAr).'; return true;';
$extraHidden = implode(chr(10), $extraHiddenAr);
}
// Implements the MD5 superchallenged On Submit as in Hook
// keeps hook in mind
if ( $GLOBALS['TYPO3_CONF_VARS']['FE']['passwordType'] == 'md5' && $GLOBALS['TYPO3_CONF_VARS']['FE']['loginSecurityLevel'] == 'superchallenged') {
list($onSub, $hid) = $this->getFormOnSubmitMD5();
$onSubmit = $onSub . $onSubmit;;
$extraHidden .= $hid;
}
// Login form
$markerArray['###ACTION_URI###'] = $this->getPageLink('',array(),true);
$markerArray['###EXTRA_HIDDEN###'] = $extraHidden; // used by kb_md5fepw extension...
......
}
return $pass;
}
/*
* return the additional onSubmit-JS Code, for superchallenged Login
* copied from kb_md5fepw/class.tx_kbmd5fepw_newloginbox.php
* original Name loginFormOnSubmit()
*/
private function getFormOnSubmitMD5() {
$js = '
function superchallenge_pass(form) {
var pass = form.pass.value;
if (pass) {
var enc_pass = MD5(pass);
var str = form.user.value+":"+enc_pass+":"+form.challenge.value;
form.pass.value = MD5(str);
return true;
} else {
return false;
}
}
';
$GLOBALS['TSFE']->JSCode .= $js;
$GLOBALS['TSFE']->additionalHeaderData['tx_felogin'] = '<script language="JavaScript" type="text/javascript" src="typo3/md5.js"></script>';
$chal_val = md5(time().getmypid());
$res = $GLOBALS['TYPO3_DB']->exec_INSERTquery('tx_felogin_challenge', array('challenge' => $chal_val, 'tstamp' => time()));
$onSubmit = 'superchallenge_pass(this)';
$hidden = '<input type="hidden" name="challenge" value="'.$chal_val.'">';
return array($onSubmit, $hidden);
}
/**
* Returns the header / message value from flexform if present, else from locallang.xml
typo3/sysext/felogin/sv1/class.tx_felogin_sv1.php (revision 0)
<?php
/***************************************************************
* Copyright notice
*
* (c) 2005 Kraft Bernhard (kraftb@gmx.net)
* All rights reserved
*
* Based on ext/sv/class.tx_sv_auth.php:
* (c) 2004-2005 Ren? Fritz <r.fritz@colorcube.de>
* All rights reserved
*
* This script is part of the TYPO3 project. The TYPO3 project is
* free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* The GNU General Public License can be found at
* http://www.gnu.org/copyleft/gpl.html.
* A copy is found in the textfile GPL.txt and important notices to the license
* from the author is found in LICENSE.txt distributed with these scripts.
*
*
* This script is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* This copyright notice MUST APPEAR in all copies of the script!
***************************************************************/
/**
* Service class which performs challenge response.
* copied from kb_md5fepw
* $Id$
*
* @author Kraft Bernhard <kraftb@kraftb.at>
* @author Ren? Fritz <r.fritz@colorcube.de>
*/
/**
* [CLASS/FUNCTION INDEX of SCRIPT]
*/
class tx_felogin_sv1 extends tx_sv_authbase {
/**
* Authenticate a user (Check various conditions for the user that might invalidate its authentication, eg. password match, domain, IP, etc.)
*
* @param array Data of user.
* @return boolean
*/
function authUser($user) {
$OK = 100;
if ($this->login['uident'] && $this->login['uname']) {
// Checking password match for user:
$OK = $this->compareUident($user, $this->login, 'superchallenged');
$F_chalvalue = $this->login['chalvalue'];
if (strlen($F_chalvalue)) {
$res = $GLOBALS['TYPO3_DB']->exec_SELECTquery('count(*) as count', 'tx_felogin_challenge', 'challenge='.$GLOBALS['TYPO3_DB']->fullQuoteStr($F_chalvalue, 'tx_felogin_challenge'));
$row = $GLOBALS['TYPO3_DB']->sql_fetch_assoc($res);
$cnt = $row['count'];
// If we don't find this challenge in the database it's invalid
if (!$cnt) {
$OK = 0;
} else {
$GLOBALS['TYPO3_DB']->exec_DELETEquery('tx_felogin_challenge', 'challenge='.$GLOBALS['TYPO3_DB']->fullQuoteStr($F_chalvalue, 'tx_felogin_challenge'));
}
}
if(!$OK) {
// Failed login attempt (wrong password) - write that to the log!
if ($this->writeAttemptLog) {
$this->writelog(255,3,3,1,
"Login-attempt from %s (%s), username '%s', password not accepted!",
Array($this->authInfo['REMOTE_ADDR'], $this->authInfo['REMOTE_HOST'], $this->login['uname']));
}
if ($this->writeDevLog) t3lib_div::devLog('Password not accepted: '.$this->login['uident'], 'tx_sv_auth', 2);
}
// Checking the domain (lockToDomain)
if ($OK && $user['lockToDomain'] && $user['lockToDomain']!=$this->authInfo['HTTP_HOST']) {
// Lock domain didn't match, so error:
if ($this->writeAttemptLog) {
$this->writelog(255,3,3,1,
"Login-attempt from %s (%s), username '%s', locked domain '%s' did not match '%s'!",
Array($this->authInfo['REMOTE_ADDR'], $this->authInfo['REMOTE_HOST'], $user[$this->db_user['username_column']], $user['lockToDomain'], $this->authInfo['HTTP_HOST']));
}
$OK = false;
}
}
return $OK>0?200:0;
}
}
if (defined('TYPO3_MODE') && $TYPO3_CONF_VARS[TYPO3_MODE]['XCLASS']['ext/felogin/sv1/class.tx_felogin_sv1.php']) {
include_once($TYPO3_CONF_VARS[TYPO3_MODE]['XCLASS']['ext/felogin/sv1/class.tx_felogin_sv1.php']);
}
?>
typo3/sysext/felogin/sv1/class.tx_felogin_sv1.php (revision 0)
<?php
/***************************************************************
* Copyright notice
*
* (c) 2005 Kraft Bernhard (kraftb@gmx.net)
* All rights reserved
*
* Based on ext/sv/class.tx_sv_auth.php:
* (c) 2004-2005 Ren? Fritz <r.fritz@colorcube.de>
* All rights reserved
*
* This script is part of the TYPO3 project. The TYPO3 project is
* free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* The GNU General Public License can be found at
* http://www.gnu.org/copyleft/gpl.html.
* A copy is found in the textfile GPL.txt and important notices to the license
* from the author is found in LICENSE.txt distributed with these scripts.
*
*
* This script is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* This copyright notice MUST APPEAR in all copies of the script!
***************************************************************/
/**
* Service class which performs challenge response.
* copied from kb_md5fepw
* $Id$
*
* @author Kraft Bernhard <kraftb@kraftb.at>
* @author Ren? Fritz <r.fritz@colorcube.de>
*/
/**
* [CLASS/FUNCTION INDEX of SCRIPT]
*/
class tx_felogin_sv1 extends tx_sv_authbase {
/**
* Authenticate a user (Check various conditions for the user that might invalidate its authentication, eg. password match, domain, IP, etc.)
*
* @param array Data of user.
* @return boolean
*/
function authUser($user) {
$OK = 100;
if ($this->login['uident'] && $this->login['uname']) {
// Checking password match for user:
$OK = $this->compareUident($user, $this->login, 'superchallenged');
$F_chalvalue = $this->login['chalvalue'];
if (strlen($F_chalvalue)) {
$res = $GLOBALS['TYPO3_DB']->exec_SELECTquery('count(*) as count', 'tx_felogin_challenge', 'challenge='.$GLOBALS['TYPO3_DB']->fullQuoteStr($F_chalvalue, 'tx_felogin_challenge'));
$row = $GLOBALS['TYPO3_DB']->sql_fetch_assoc($res);
$cnt = $row['count'];
// If we don't find this challenge in the database it's invalid
if (!$cnt) {
$OK = 0;
} else {
$GLOBALS['TYPO3_DB']->exec_DELETEquery('tx_felogin_challenge', 'challenge='.$GLOBALS['TYPO3_DB']->fullQuoteStr($F_chalvalue, 'tx_felogin_challenge'));
}
}
if(!$OK) {
// Failed login attempt (wrong password) - write that to the log!
if ($this->writeAttemptLog) {
$this->writelog(255,3,3,1,
"Login-attempt from %s (%s), username '%s', password not accepted!",
Array($this->authInfo['REMOTE_ADDR'], $this->authInfo['REMOTE_HOST'], $this->login['uname']));
}
if ($this->writeDevLog) t3lib_div::devLog('Password not accepted: '.$this->login['uident'], 'tx_sv_auth', 2);
}
// Checking the domain (lockToDomain)
if ($OK && $user['lockToDomain'] && $user['lockToDomain']!=$this->authInfo['HTTP_HOST']) {
// Lock domain didn't match, so error:
if ($this->writeAttemptLog) {
$this->writelog(255,3,3,1,
"Login-attempt from %s (%s), username '%s', locked domain '%s' did not match '%s'!",
Array($this->authInfo['REMOTE_ADDR'], $this->authInfo['REMOTE_HOST'], $user[$this->db_user['username_column']], $user['lockToDomain'], $this->authInfo['HTTP_HOST']));
}
$OK = false;
}
}
return $OK>0?200:0;
}
}
if (defined('TYPO3_MODE') && $TYPO3_CONF_VARS[TYPO3_MODE]['XCLASS']['ext/felogin/sv1/class.tx_felogin_sv1.php']) {
include_once($TYPO3_CONF_VARS[TYPO3_MODE]['XCLASS']['ext/felogin/sv1/class.tx_felogin_sv1.php']);
}
?>
typo3/sysext/felogin/tools/user_getChallenge.php (revision 0)
<?php
/***************************************************************
* Copyright notice
*
* (c) 2005 Kraft Bernhard (kraftb@gmx.net)
* All rights reserved
*
* This script is part of the TYPO3 project. The TYPO3 project is
* free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* The GNU General Public License can be found at
* http://www.gnu.org/copyleft/gpl.html.
* A copy is found in the textfile GPL.txt and important notices to the license
* from the author is found in LICENSE.txt distributed with these scripts.
*
*
* This script is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* This copyright notice MUST APPEAR in all copies of the script!
***************************************************************/
/**
* Challenge generation classl
*
* $Id$
*
* @author Kraft Bernhard <kraftb@gmx.net>
*/
/**
* [CLASS/FUNCTION INDEX of SCRIPT]
*/
class user_felogin_challenge {
function getChallenge() {
$chal_val = md5(time().getmypid());
$res = $GLOBALS['TYPO3_DB']->exec_INSERTquery('tx_felogin_challenge', array('challenge' => $chal_val, 'tstamp' => time()));
return $chal_val;
}
}
?>
typo3/sysext/felogin/tools/user_getChallenge.php (revision 0)
<?php
/***************************************************************
* Copyright notice
*
* (c) 2005 Kraft Bernhard (kraftb@gmx.net)
* All rights reserved
*
* This script is part of the TYPO3 project. The TYPO3 project is
* free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* The GNU General Public License can be found at
* http://www.gnu.org/copyleft/gpl.html.
* A copy is found in the textfile GPL.txt and important notices to the license
* from the author is found in LICENSE.txt distributed with these scripts.
*
*
* This script is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* This copyright notice MUST APPEAR in all copies of the script!
***************************************************************/
/**
* Challenge generation classl
*
* $Id$
*
* @author Kraft Bernhard <kraftb@gmx.net>
*/
/**
* [CLASS/FUNCTION INDEX of SCRIPT]
*/
class user_felogin_challenge {
function getChallenge() {
$chal_val = md5(time().getmypid());
$res = $GLOBALS['TYPO3_DB']->exec_INSERTquery('tx_felogin_challenge', array('challenge' => $chal_val, 'tstamp' => time()));
return $chal_val;
}
}
?>
(2-2/3)