|
|
@ -4,19 +4,21 @@ |
|
|
|
* Copyright (c) 2010-2013 Tinyboard Development Group |
|
|
|
*/ |
|
|
|
|
|
|
|
use Vichan\Functions\Net; |
|
|
|
|
|
|
|
defined('TINYBOARD') or exit; |
|
|
|
|
|
|
|
// create a hash/salt pair for validate logins |
|
|
|
function mkhash($username, $password, $salt = false) { |
|
|
|
global $config; |
|
|
|
|
|
|
|
|
|
|
|
if (!$salt) { |
|
|
|
// create some sort of salt for the hash |
|
|
|
$salt = substr(base64_encode(sha1(rand() . time(), true) . $config['cookies']['salt']), 0, 15); |
|
|
|
|
|
|
|
|
|
|
|
$generated_salt = true; |
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
// generate hash (method is not important as long as it's strong) |
|
|
|
$hash = substr( |
|
|
|
base64_encode( |
|
|
@ -30,19 +32,13 @@ function mkhash($username, $password, $salt = false) { |
|
|
|
) |
|
|
|
), 0, 20 |
|
|
|
); |
|
|
|
|
|
|
|
|
|
|
|
if (isset($generated_salt)) |
|
|
|
return array($hash, $salt); |
|
|
|
else |
|
|
|
return $hash; |
|
|
|
} |
|
|
|
|
|
|
|
function crypt_password_old($password) { |
|
|
|
$salt = generate_salt(); |
|
|
|
$password = hash('sha256', $salt . sha1($password)); |
|
|
|
return array($salt, $password); |
|
|
|
} |
|
|
|
|
|
|
|
function crypt_password($password) { |
|
|
|
global $config; |
|
|
|
// `salt` database field is reused as a version value. We don't want it to be 0. |
|
|
@ -69,22 +65,16 @@ function test_password($password, $salt, $test) { |
|
|
|
} |
|
|
|
|
|
|
|
function generate_salt() { |
|
|
|
// mcrypt_create_iv() was deprecated in PHP 7.1.0, only use it if we're below that version number. |
|
|
|
if (PHP_VERSION_ID < 70100) { |
|
|
|
// 128 bits of entropy |
|
|
|
return strtr(base64_encode(mcrypt_create_iv(16, MCRYPT_DEV_URANDOM)), '+', '.'); |
|
|
|
} |
|
|
|
// Otherwise, use random_bytes() |
|
|
|
return strtr(base64_encode(random_bytes(16)), '+', '.'); |
|
|
|
} |
|
|
|
|
|
|
|
function login($username, $password) { |
|
|
|
global $mod, $config; |
|
|
|
|
|
|
|
|
|
|
|
$query = prepare("SELECT `id`, `type`, `boards`, `password`, `version` FROM ``mods`` WHERE BINARY `username` = :username"); |
|
|
|
$query->bindValue(':username', $username); |
|
|
|
$query->execute() or error(db_error($query)); |
|
|
|
|
|
|
|
|
|
|
|
if ($user = $query->fetch(PDO::FETCH_ASSOC)) { |
|
|
|
list($version, $ok) = test_password($user['password'], $user['version'], $password); |
|
|
|
|
|
|
@ -108,7 +98,7 @@ function login($username, $password) { |
|
|
|
); |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
return false; |
|
|
|
} |
|
|
|
|
|
|
@ -116,20 +106,23 @@ function setCookies() { |
|
|
|
global $mod, $config; |
|
|
|
if (!$mod) |
|
|
|
error('setCookies() was called for a non-moderator!'); |
|
|
|
|
|
|
|
|
|
|
|
$is_https = Net\is_connection_secure(); |
|
|
|
|
|
|
|
setcookie($config['cookies']['mod'], |
|
|
|
$mod['username'] . // username |
|
|
|
':' . |
|
|
|
':' . |
|
|
|
$mod['hash'][0] . // password |
|
|
|
':' . |
|
|
|
$mod['hash'][1], // salt |
|
|
|
time() + $config['cookies']['expire'], $config['cookies']['jail'] ? $config['cookies']['path'] : '/', null, !empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] != 'off', $config['cookies']['httponly']); |
|
|
|
time() + $config['cookies']['expire'], $config['cookies']['jail'] ? $config['cookies']['path'] : '/', null, $is_https, $config['cookies']['httponly']); |
|
|
|
} |
|
|
|
|
|
|
|
function destroyCookies() { |
|
|
|
global $config; |
|
|
|
$is_https = Net\is_connection_secure(); |
|
|
|
// Delete the cookies |
|
|
|
setcookie($config['cookies']['mod'], 'deleted', time() - $config['cookies']['expire'], $config['cookies']['jail']?$config['cookies']['path'] : '/', null, !empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] != 'off', true); |
|
|
|
setcookie($config['cookies']['mod'], 'deleted', time() - $config['cookies']['expire'], $config['cookies']['jail']?$config['cookies']['path'] : '/', null, $is_https, true); |
|
|
|
} |
|
|
|
|
|
|
|
function modLog($action, $_board=null) { |
|
|
@ -146,36 +139,36 @@ function modLog($action, $_board=null) { |
|
|
|
else |
|
|
|
$query->bindValue(':board', null, PDO::PARAM_NULL); |
|
|
|
$query->execute() or error(db_error($query)); |
|
|
|
|
|
|
|
|
|
|
|
if ($config['syslog']) |
|
|
|
_syslog(LOG_INFO, '[mod/' . $mod['username'] . ']: ' . $action); |
|
|
|
} |
|
|
|
|
|
|
|
function create_pm_header() { |
|
|
|
global $mod, $config; |
|
|
|
|
|
|
|
|
|
|
|
if ($config['cache']['enabled'] && ($header = cache::get('pm_unread_' . $mod['id'])) != false) { |
|
|
|
if ($header === true) |
|
|
|
return false; |
|
|
|
|
|
|
|
|
|
|
|
return $header; |
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
$query = prepare("SELECT `id` FROM ``pms`` WHERE `to` = :id AND `unread` = 1"); |
|
|
|
$query->bindValue(':id', $mod['id'], PDO::PARAM_INT); |
|
|
|
$query->execute() or error(db_error($query)); |
|
|
|
|
|
|
|
|
|
|
|
if ($pm = $query->fetch(PDO::FETCH_ASSOC)) |
|
|
|
$header = array('id' => $pm['id'], 'waiting' => $query->rowCount() - 1); |
|
|
|
else |
|
|
|
$header = true; |
|
|
|
|
|
|
|
|
|
|
|
if ($config['cache']['enabled']) |
|
|
|
cache::set('pm_unread_' . $mod['id'], $header); |
|
|
|
|
|
|
|
|
|
|
|
if ($header === true) |
|
|
|
return false; |
|
|
|
|
|
|
|
|
|
|
|
return $header; |
|
|
|
} |
|
|
|
|
|
|
@ -186,6 +179,7 @@ function make_secure_link_token($uri) { |
|
|
|
|
|
|
|
function check_login($prompt = false) { |
|
|
|
global $config, $mod; |
|
|
|
|
|
|
|
// Validate session |
|
|
|
if (isset($_COOKIE[$config['cookies']['mod']])) { |
|
|
|
// Should be username:hash:salt |
|
|
@ -196,12 +190,12 @@ function check_login($prompt = false) { |
|
|
|
if ($prompt) mod_login(); |
|
|
|
exit; |
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
$query = prepare("SELECT `id`, `type`, `boards`, `password` FROM ``mods`` WHERE `username` = :username"); |
|
|
|
$query->bindValue(':username', $cookie[0]); |
|
|
|
$query->execute() or error(db_error($query)); |
|
|
|
$user = $query->fetch(PDO::FETCH_ASSOC); |
|
|
|
|
|
|
|
|
|
|
|
// validate password hash |
|
|
|
if ($cookie[1] !== mkhash($cookie[0], $user['password'], $cookie[2])) { |
|
|
|
// Malformed cookies |
|
|
@ -209,7 +203,7 @@ function check_login($prompt = false) { |
|
|
|
if ($prompt) mod_login(); |
|
|
|
exit; |
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
$mod = array( |
|
|
|
'id' => (int)$user['id'], |
|
|
|
'type' => (int)$user['type'], |
|
|
|