X-Git-Url: https://vcs.fsf.org/?p=squirrelmail.git;a=blobdiff_plain;f=functions%2Fauth.php;h=17d4d62530088d3e717b8961e9e3104c9b0a2cce;hp=dde3147547b482272b47d88e883b83d34d2d93ba;hb=54536ecf45fc0951977ed75ce11923af9be8480f;hpb=88cb1b4d2ebd3e74fcee1d756df4e420da8bdf09;ds=sidebyside diff --git a/functions/auth.php b/functions/auth.php index dde31475..17d4d625 100644 --- a/functions/auth.php +++ b/functions/auth.php @@ -3,37 +3,366 @@ /** * auth.php * - * Copyright (c) 1999-2002 The SquirrelMail Project Team - * Licensed under the GNU GPL. For full terms see the file COPYING. - * * Contains functions used to do authentication. + * + * Dependencies: + * functions/global.php + * functions/strings.php. * - * $Id$ + * @copyright 1999-2010 The SquirrelMail Project Team + * @license http://opensource.org/licenses/gpl-license.php GNU Public License + * @version $Id$ + * @package squirrelmail */ -require_once( '../functions/page_header.php' ); -function is_logged_in () { - global $squirrelmail_language, $frame_top, $base_uri; +/** + * Detect whether user is logged in + * + * Function is similar to is_logged_in() function. If user is logged in, function + * returns true. If user is not logged in or session is expired, function saves $_POST + * and PAGE_NAME in session and returns false. POST information is saved in + * 'session_expired_post' variable, PAGE_NAME is saved in 'session_expired_location'. + * + * This function optionally checks the referrer of this page request. If the + * administrator wants to impose a check that the referrer of this page request + * is another page on the same domain (otherwise, the page request is likely + * the result of a XSS or phishing attack), then they need to specify the + * acceptable referrer domain in a variable named $check_referrer in + * config/config.php (or the configuration tool) for which the value is + * usually the same as the $domain setting (for example: + * $check_referrer = 'example.com'; + * However, in some cases (where proxy servers are in use, etc.), the + * acceptable referrer might be different. If $check_referrer is set to + * "###DOMAIN###", then the current value of $domain is used (useful in + * situations where $domain might change at runtime (when using the Login + * Manager plugin to host multiple domains with one SquirrelMail installation, + * for example)): + * $check_referrer = '###DOMAIN###'; + * NOTE HOWEVER, that referrer checks are not foolproof - they can be spoofed + * by browsers, and some browsers intentionally don't send them, in which + * case SquirrelMail silently ignores referrer checks. + * + * Script that uses this function instead of is_logged_in() function, must handle user + * level messages. + * @return boolean + * @since 1.5.1 + */ +function sqauth_is_logged_in() { - if ( session_is_registered('user_is_logged_in') ) { - return; + global $check_referrer, $domain; + if (!sqgetGlobalVar('HTTP_REFERER', $referrer, SQ_SERVER)) $referrer = ''; + if ($check_referrer == '###DOMAIN###') $check_referrer = $domain; + if (!empty($check_referrer)) { + $ssl_check_referrer = 'https://' . $check_referrer; + $plain_check_referrer = 'http://' . $check_referrer; + } + if (sqsession_is_registered('user_is_logged_in') + && (!$check_referrer || empty($referrer) + || ($check_referrer && !empty($referrer) + && (strpos(strtolower($referrer), strtolower($plain_check_referrer)) === 0 + || strpos(strtolower($referrer), strtolower($ssl_check_referrer)) === 0)))) { + return true; } - if (!isset($frame_top) || $frame_top == '' ) { - $frame_top = '_top'; + // First we store some information in the new session to prevent + // information-loss. + $session_expired_post = $_POST; + if (defined('PAGE_NAME')) + $session_expired_location = PAGE_NAME; + else + $session_expired_location = ''; + + if (!sqsession_is_registered('session_expired_post')) { + sqsession_register($session_expired_post,'session_expired_post'); } + if (!sqsession_is_registered('session_expired_location')) { + sqsession_register($session_expired_location,'session_expired_location'); + } + + session_write_close(); + + return false; +} + +/** + * Reads and decodes stored user password information + * + * Direct access to password information is deprecated. + * @return string password in plain text + * @since 1.5.1 + */ +function sqauth_read_password() { + global $currentHookName; + if ($currentHookName == 'login_verified') global $key; + + sqgetGlobalVar('key', $key, SQ_COOKIE); + sqgetGlobalVar('onetimepad', $onetimepad,SQ_SESSION); + + return OneTimePadDecrypt($key, $onetimepad); +} - set_up_language($squirrelmail_language, true); +/** + * Saves or updates user password information + * + * This function is used to update the password information that + * SquirrelMail stores in the existing PHP session. It does NOT + * modify the password stored in the authentication system used + * by the IMAP server. + * + * This function must be called before any html output is started. + * Direct access to password information is deprecated. The saved + * password information is available only to the SquirrelMail script + * that is called/executed AFTER the current one. If your script + * needs access to the saved password after a sqauth_save_password() + * call, use the returned OTP encrypted key. + * + * @param string $pass password + * + * @return string Password encrypted with OTP. In case the script + * wants to access the password information before + * the end of its execution. + * + * @since 1.5.1 + * + */ +function sqauth_save_password($pass) { + sqgetGlobalVar('base_uri', $base_uri, SQ_SESSION); - displayHtmlHeader( 'SquirrelMail', '', FALSE ); + $onetimepad = OneTimePadCreate(strlen($pass)); + sqsession_register($onetimepad,'onetimepad'); + $key = OneTimePadEncrypt($pass, $onetimepad); + sqsetcookie('key', $key, false, $base_uri); + return $key; +} - echo "
\n" . - '