zeke/leftypol
1
0
Fork 0
forked from leftypol/leftypol
Code Issues Pull Requests Projects Releases Wiki Activity

Merge pull request 'Disable login on insecure connections. Implements #134' (#136) from secure-login into config

Browse Source 
Reviewed-on: leftypol/leftypol#136
Closes #134
This commit is contained in:
Zankaria 2024-05-07 09:09:44 +00:00
commit 217f52ec69
5 changed files with 53 additions and 38 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
composer.json
View File

@ -22,7 +22,8 @@
"inc/queue.php", "inc/queue.php",
"inc/polyfill.php", "inc/polyfill.php",
"inc/error.php", "inc/error.php",
"inc/functions.php" "inc/functions.php",
"inc/functions/net.php"
] ]
}, },
"license": "Tinyboard + vichan", "license": "Tinyboard + vichan",

7
inc/config.php
View File

@ -172,7 +172,7 @@
// How long should the cookies last (in seconds). Defines how long should moderators should remain logged // How long should the cookies last (in seconds). Defines how long should moderators should remain logged
// in (0 = browser session). // in (0 = browser session).
$config['cookies']['expire'] = 60 * 60 * 24 * 30 * 6; // ~6 months $config['cookies']['expire'] = 60 * 60 * 24 * 7; // 1 week.
// Make this something long and random for security. // Make this something long and random for security.
$config['cookies']['salt'] = 'abcdefghijklmnopqrstuvwxyz09123456789!@#$%^&*()'; $config['cookies']['salt'] = 'abcdefghijklmnopqrstuvwxyz09123456789!@#$%^&*()';
@ -180,6 +180,10 @@
// Whether or not you can access the mod cookie in JavaScript. Most users should not need to change this. // Whether or not you can access the mod cookie in JavaScript. Most users should not need to change this.
$config['cookies']['httponly'] = true; $config['cookies']['httponly'] = true;
// Do not allow logins via unencrypted HTTP. Should only be changed in testing environments or if you connect to a
// load-balancer without encryption.
$config['cookies']['secure_login_only'] = true;
// Used to salt secure tripcodes ("##trip") and poster IDs (if enabled). // Used to salt secure tripcodes ("##trip") and poster IDs (if enabled).
$config['secure_trip_salt'] = ')(*&^%$#@!98765432190zyxwvutsrqponmlkjihgfedcba'; $config['secure_trip_salt'] = ')(*&^%$#@!98765432190zyxwvutsrqponmlkjihgfedcba';
@ -1216,6 +1220,7 @@
// Moderator errors // Moderator errors
$config['error']['toomanyunban'] = _('You are only allowed to unban %s users at a time. You tried to unban %u users.'); $config['error']['toomanyunban'] = _('You are only allowed to unban %s users at a time. You tried to unban %u users.');
$config['error']['invalid'] = _('Invalid username and/or password.'); $config['error']['invalid'] = _('Invalid username and/or password.');
$config['error']['insecure'] = _('Login on insecure connections is disabled.');
$config['error']['notamod'] = _('You are not a mod…'); $config['error']['notamod'] = _('You are not a mod…');
$config['error']['invalidafter'] = _('Invalid username and/or password. Your user may have been deleted or changed.'); $config['error']['invalidafter'] = _('Invalid username and/or password. Your user may have been deleted or changed.');
$config['error']['malformed'] = _('Invalid/malformed cookies.'); $config['error']['malformed'] = _('Invalid/malformed cookies.');

10
inc/functions/net.php Normal file
View File

@ -0,0 +1,10 @@
<?php
namespace Vichan\Functions\Net;
/**
* @return bool Returns if the client-server connection is an encrypted one (HTTPS).
*/
function is_connection_secure(): bool {
return !empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] != 'off';
}

22
inc/mod/auth.php
View File

@ -4,6 +4,8 @@
* Copyright (c) 2010-2013 Tinyboard Development Group * Copyright (c) 2010-2013 Tinyboard Development Group
*/ */
use Vichan\Functions\Net;
defined('TINYBOARD') or exit; defined('TINYBOARD') or exit;
// create a hash/salt pair for validate logins // create a hash/salt pair for validate logins
@ -37,12 +39,6 @@ function mkhash($username, $password, $salt = false) {
return $hash; return $hash;
} }
function crypt_password_old($password) {
$salt = generate_salt();
$password = hash('sha256', $salt . sha1($password));
return array($salt, $password);
}
function crypt_password($password) { function crypt_password($password) {
global $config; global $config;
// `salt` database field is reused as a version value. We don't want it to be 0. // `salt` database field is reused as a version value. We don't want it to be 0.
@ -69,12 +65,6 @@ function test_password($password, $salt, $test) {
} }
function generate_salt() { function generate_salt() {
// mcrypt_create_iv() was deprecated in PHP 7.1.0, only use it if we're below that version number.
if (PHP_VERSION_ID < 70100) {
// 128 bits of entropy
return strtr(base64_encode(mcrypt_create_iv(16, MCRYPT_DEV_URANDOM)), '+', '.');
}
// Otherwise, use random_bytes()
return strtr(base64_encode(random_bytes(16)), '+', '.'); return strtr(base64_encode(random_bytes(16)), '+', '.');
} }
@ -117,19 +107,22 @@ function setCookies() {
if (!$mod) if (!$mod)
error('setCookies() was called for a non-moderator!'); error('setCookies() was called for a non-moderator!');
$is_https = Net\is_connection_secure();
setcookie($config['cookies']['mod'], setcookie($config['cookies']['mod'],
$mod['username'] . // username $mod['username'] . // username
':' . ':' .
$mod['hash'][0] . // password $mod['hash'][0] . // password
':' . ':' .
$mod['hash'][1], // salt $mod['hash'][1], // salt
time() + $config['cookies']['expire'], $config['cookies']['jail'] ? $config['cookies']['path'] : '/', null, !empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] != 'off', $config['cookies']['httponly']); time() + $config['cookies']['expire'], $config['cookies']['jail'] ? $config['cookies']['path'] : '/', null, $is_https, $config['cookies']['httponly']);
} }
function destroyCookies() { function destroyCookies() {
global $config; global $config;
$is_https = Net\is_connection_secure();
// Delete the cookies // Delete the cookies
setcookie($config['cookies']['mod'], 'deleted', time() - $config['cookies']['expire'], $config['cookies']['jail']?$config['cookies']['path'] : '/', null, !empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] != 'off', true); setcookie($config['cookies']['mod'], 'deleted', time() - $config['cookies']['expire'], $config['cookies']['jail']?$config['cookies']['path'] : '/', null, $is_https, true);
} }
function modLog($action, $_board=null) { function modLog($action, $_board=null) {
@ -186,6 +179,7 @@ function make_secure_link_token($uri) {
function check_login($prompt = false) { function check_login($prompt = false) {
global $config, $mod; global $config, $mod;
// Validate session // Validate session
if (isset($_COOKIE[$config['cookies']['mod']])) { if (isset($_COOKIE[$config['cookies']['mod']])) {
// Should be username:hash:salt // Should be username:hash:salt

9
inc/mod/pages.php
View File

@ -4,8 +4,11 @@
* Copyright (c) 2010-2013 Tinyboard Development Group * Copyright (c) 2010-2013 Tinyboard Development Group
*/ */
use Vichan\Functions\Net;
defined('TINYBOARD') or exit; defined('TINYBOARD') or exit;
function mod_page($title, $template, $args, $subtitle = false) { function mod_page($title, $template, $args, $subtitle = false) {
global $config, $mod; global $config, $mod;
@ -35,9 +38,11 @@ function clone_wrapped_with_exist_check($clonefn, $src, $dest) {
function mod_login($redirect = false) { function mod_login($redirect = false) {
global $config; global $config;
$args = array(); $args = [];
if (isset($_POST['login'])) { if ($config['cookies']['secure_login_only'] && !Net\is_connection_secure()) {
$args['error'] = $config['error']['insecure'];
} elseif (isset($_POST['login'])) {
// Check if inputs are set and not empty // Check if inputs are set and not empty
if (!isset($_POST['username'], $_POST['password']) || $_POST['username'] == '' || $_POST['password'] == '') { if (!isset($_POST['username'], $_POST['password']) || $_POST['username'] == '' || $_POST['password'] == '') {
$args['error'] = $config['error']['invalid']; $args['error'] = $config['error']['invalid'];