PageRenderTime 49ms CodeModel.GetById 24ms RepoModel.GetById 0ms app.codeStats 0ms

/htdocs/core/lib/security2.lib.php

https://bitbucket.org/speedealing/speedealing
PHP | 260 lines | 156 code | 35 blank | 69 comment | 32 complexity | ce82d864ea4991bff440b814eee5392a MD5 | raw file
Possible License(s): LGPL-3.0, LGPL-2.1, GPL-3.0, MIT 
    

  1. <?php
    2. 

  2. 

  3. /* Copyright (C) 2008-2011 Laurent Destailleur  <eldy@users.sourceforge.net>
    4. 

  4.  * Copyright (C) 2008-2012 Regis Houssin        <regis.houssin@capnetworks.com>
    5. 

  5.  * Copyright (C) 2011-2012 Herve Prot           <herve.prot@symeos.com>
    6. 

  6.  *
    7. 

  7.  * This program is free software; you can redistribute it and/or modify
    8. 

  8.  * it under the terms of the GNU General Public License as published by
    9. 

  9.  * the Free Software Foundation; either version 3 of the License, or
    10. 

  10.  * (at your option) any later version.
    11. 

  11.  *
    12. 

  12.  * This program is distributed in the hope that it will be useful,
    13. 

  13.  * but WITHOUT ANY WARRANTY; without even the implied warranty of
    14. 

  14.  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    15. 

  15.  * GNU General Public License for more details.
    16. 

  16.  *
    17. 

  17.  * You should have received a copy of the GNU General Public License
    18. 

  18.  * along with this program. If not, see <http://www.gnu.org/licenses/>.
    19. 

  19.  * or see http://www.gnu.org/
    20. 

  20.  */
    21. 

  21. 

  22. /**
    23. 

  23.  *  Return user/group account of web server
    24. 

  24.  *
    25. 

  25.  *  @param	string	$mode       'user' or 'group'
    26. 

  26.  *  @return string				Return user or group of web server
    27. 

  27.  */
    28. 

  28. function dol_getwebuser($mode) {
    29. 

  29.     $t = '?';
    30. 

  30.     if ($mode == 'user')
    31. 

  31.         $t = getenv('APACHE_RUN_USER');   // $_ENV['APACHE_RUN_USER'] is empty
    32. 

  32.     if ($mode == 'group')
    33. 

  33.         $t = getenv('APACHE_RUN_GROUP');
    34. 

  34.     return $t;
    35. 

  35. }
    36. 

  36. 

  37. /**
    38. 

  38.  * Show Dolibarr default login page.
    39. 

  39.  * Part of this code is also duplicated into main.inc.php::top_htmlhead
    40. 

  40.  *
    41. 

  41.  * @param		Translate	$langs		Lang object (must be initialized by a new).
    42. 

  42.  * @param		Conf		$conf		Conf object
    43. 

  43.  * @param		Societe		$mysoc		Company object
    44. 

  44.  * @return		void
    45. 

  45.  */
    46. 

  46. function dol_loginfunction($langs, $conf, $mysoc) {
    47. 

  47.     global $dolibarr_main_demo;
    48. 

  48.     global $hookmanager;
    49. 

  49. 

  50.     // Instantiate hooks of thirdparty module only if not already define
    51. 

  51.     $hookmanager->initHooks(array('mainloginpage'));
    52. 

  52. 

  53.     $langcode = (GETPOST('lang') ? ((is_object($langs) && $langs->defaultlang) ? $langs->defaultlang : 'auto') : GETPOST('lang'));
    54. 

  54.     $langs->setDefaultLang($langcode);
    55. 

  55. 

  56.     $langs->load("main");
    57. 

  57.     $langs->load("other");
    58. 

  58.     $langs->load("help");
    59. 

  59.     $langs->load("admin");
    60. 

  60. 

  61.     $main_authentication = $conf->file->main_authentication;
    62. 

  62.     $session_name = session_name();
    63. 

  63. 

  64.     $dol_url_root = DOL_URL_ROOT;
    65. 

  65. 

  66.     $php_self = $_SERVER['PHP_SELF'];
    67. 

  67.     $php_self.= $_SERVER["QUERY_STRING"] ? '?' . $_SERVER["QUERY_STRING"] : '';
    68. 

  68. 

  69.     // Title
    70. 

  70.     $title = 'Speedealing ' . DOL_VERSION;
    71. 

  71. 

  72.     // Select templates
    73. 

  73.     $template_dir = DOL_DOCUMENT_ROOT . "/core/tpl/";
    74. 

  74. 

  75.     $conf->css = "/theme/" . (GETPOST('theme') ? GETPOST('theme', 'alpha') : $conf->theme) . "/style.css.php?lang=" . $langs->defaultlang;
    76. 

  76.     $conf_css = DOL_URL_ROOT . $conf->css;
    77. 

  77. 

  78.     // Set cookie for timeout management
    79. 

  79.     $prefix = dol_getprefix();
    80. 

  80.     $sessiontimeout = 'DOLSESSTIMEOUT_' . $prefix;
    81. 

  81.     if (!empty($conf->global->MAIN_SESSION_TIMEOUT))
    82. 

  82.         setcookie($sessiontimeout, $conf->global->MAIN_SESSION_TIMEOUT, 0, "/", '', 0);
    83. 

  83. 

  84.     if (GETPOST('urlfrom', 'alpha'))
    85. 

  85.         $_SESSION["urlfrom"] = GETPOST('urlfrom', 'alpha');
    86. 

  86.     else
    87. 

  87.         unset($_SESSION["urlfrom"]);
    88. 

  88. 

  89.     // Show logo (search in order: small company logo, large company logo, theme logo, common logo)
    90. 

  90.     $width = 0;
    91. 

  91. 

  92.     // Home message
    93. 

  93.     if (!empty($conf->global->MAIN_HOME)) {
    94. 

  94.         $i = 0;
    95. 

  95.         while (preg_match('/__\(([a-zA-Z]+)\)__/i', $conf->global->MAIN_HOME, $reg) && $i < 100) {
    96. 

  96.             $conf->global->MAIN_HOME = preg_replace('/__\(' . $reg[1] . '\)__/i', $langs->trans($reg[1]), $conf->global->MAIN_HOME);
    97. 

  97.             $i++;
    98. 

  98.         }
    99. 

  99.     }
    100. 

  100.     $main_home = (!empty($conf->global->MAIN_HOME) ? dol_htmlcleanlastbr($conf->global->MAIN_HOME) : '');
    101. 

  101. 

  102.     // Google AD
    103. 

  103.     $main_google_ad_client = ((!empty($conf->global->MAIN_GOOGLE_AD_CLIENT) && !empty($conf->global->MAIN_GOOGLE_AD_SLOT)) ? 1 : 0);
    104. 

  104. 

  105.     $dol_loginmesg = (!empty($_SESSION["dol_loginmesg"]) ? $_SESSION["dol_loginmesg"] : '');
    106. 

  106.     $favicon = DOL_URL_ROOT . '/theme/' . $conf->theme . '/img/favicon.ico';
    107. 

  107.     $jquerytheme = 'smoothness';
    108. 

  108. 

  109.     include $template_dir . 'login.tpl.php'; // To use native PHP
    110. 

  110. 

  111. 

  112.     $_SESSION["dol_loginmesg"] = '';
    113. 

  113. }
    114. 

  114. 

  115. /**
    116. 

  116.  *  Fonction pour initialiser un salt pour la fonction crypt.
    117. 

  117.  *
    118. 

  118.  *  @param		int		$type		2=>renvoi un salt pour cryptage DES
    119. 

  119.  * 									12=>renvoi un salt pour cryptage MD5
    120. 

  120.  * 									non defini=>renvoi un salt pour cryptage par defaut
    121. 

  121.  * 	@return		string				Salt string
    122. 

  122.  */
    123. 

  123. function makesalt($type = CRYPT_SALT_LENGTH) {
    124. 

  124.     dol_syslog("makesalt type=" . $type);
    125. 

  125.     switch ($type) {
    126. 

  126.         case 12: // 8 + 4
    127. 

  127.             $saltlen = 8;
    128. 

  128.             $saltprefix = '$1$';
    129. 

  129.             $saltsuffix = '$';
    130. 

  130.             break;
    131. 

  131.         case 8:  // 8 (Pour compatibilite, ne devrait pas etre utilise)
    132. 

  132.             $saltlen = 8;
    133. 

  133.             $saltprefix = '$1$';
    134. 

  134.             $saltsuffix = '$';
    135. 

  135.             break;
    136. 

  136.         case 2:  // 2
    137. 

  137.         default:  // by default, fall back on Standard DES (should work everywhere)
    138. 

  138.             $saltlen = 2;
    139. 

  139.             $saltprefix = '';
    140. 

  140.             $saltsuffix = '';
    141. 

  141.             break;
    142. 

  142.     }
    143. 

  143.     $salt = '';
    144. 

  144.     while (dol_strlen($salt) < $saltlen)
    145. 

  145.         $salt.=chr(mt_rand(64, 126));
    146. 

  146. 

  147.     $result = $saltprefix . $salt . $saltsuffix;
    148. 

  148.     dol_syslog("makesalt return=" . $result);
    149. 

  149.     return $result;
    150. 

  150. }
    151. 

  151. 

  152. /**
    153. 

  153.  *  Encode or decode database password in config file
    154. 

  154.  *
    155. 

  155.  *  @param   	int		$level   	Encode level: 0 no encoding, 1 encoding
    156. 

  156.  * 	@return		int					<0 if KO, >0 if OK
    157. 

  157.  */
    158. 

  158. function encodedecode_dbpassconf($level = 0) {
    159. 

  159.     dol_syslog("encodedecode_dbpassconf level=" . $level, LOG_DEBUG);
    160. 

  160.     $config = '';
    161. 

  161.     $passwd = '';
    162. 

  162.     $passwd_crypted = '';
    163. 

  163. 

  164.     if ($fp = fopen(DOL_DOCUMENT_ROOT . '/conf/conf.php', 'r')) {
    165. 

  165.         while (!feof($fp)) {
    166. 

  166.             $buffer = fgets($fp, 4096);
    167. 

  167. 

  168.             $lineofpass = 0;
    169. 

  169. 

  170.             if (preg_match('/^[^#]*dolibarr_main_db_encrypted_pass[\s]*=[\s]*(.*)/i', $buffer, $reg)) { // Old way to save crypted value
    171. 

  171.                 $val = trim($reg[1]); // This also remove CR/LF
    172. 

  172.                 $val = preg_replace('/^["\']/', '', $val);
    173. 

  173.                 $val = preg_replace('/["\'][\s;]*$/', '', $val);
    174. 

  174.                 if (!empty($val)) {
    175. 

  175.                     $passwd_crypted = $val;
    176. 

  176.                     $val = dol_decode($val);
    177. 

  177.                     $passwd = $val;
    178. 

  178.                     $lineofpass = 1;
    179. 

  179.                 }
    180. 

  180.             } elseif (preg_match('/^[^#]*dolibarr_main_db_pass[\s]*=[\s]*(.*)/i', $buffer, $reg)) {
    181. 

  181.                 $val = trim($reg[1]); // This also remove CR/LF
    182. 

  182.                 $val = preg_replace('/^["\']/', '', $val);
    183. 

  183.                 $val = preg_replace('/["\'][\s;]*$/', '', $val);
    184. 

  184.                 if (preg_match('/crypted:/i', $buffer)) {
    185. 

  185.                     $val = preg_replace('/crypted:/i', '', $val);
    186. 

  186.                     $passwd_crypted = $val;
    187. 

  187.                     $val = dol_decode($val);
    188. 

  188.                     $passwd = $val;
    189. 

  189.                 } else {
    190. 

  190.                     $passwd = $val;
    191. 

  191.                     $val = dol_encode($val);
    192. 

  192.                     $passwd_crypted = $val;
    193. 

  193.                 }
    194. 

  194.                 $lineofpass = 1;
    195. 

  195.             }
    196. 

  196. 

  197.             // Output line
    198. 

  198.             if ($lineofpass) {
    199. 

  199.                 // Add value at end of file
    200. 

  200.                 if ($level == 0) {
    201. 

  201.                     $config .= '$dolibarr_main_db_pass=\'' . $passwd . '\';' . "\n";
    202. 

  202.                 }
    203. 

  203.                 if ($level == 1) {
    204. 

  204.                     $config .= '$dolibarr_main_db_pass=\'crypted:' . $passwd_crypted . '\';' . "\n";
    205. 

  205.                 }
    206. 

  206. 

  207.                 //print 'passwd = '.$passwd.' - passwd_crypted = '.$passwd_crypted;
    208. 

  208.                 //exit;
    209. 

  209.             } else {
    210. 

  210.                 $config .= $buffer;
    211. 

  211.             }
    212. 

  212.         }
    213. 

  213.         fclose($fp);
    214. 

  214. 

  215.         // Write new conf file
    216. 

  216.         $file = DOL_DOCUMENT_ROOT . '/conf/conf.php';
    217. 

  217.         if ($fp = @fopen($file, 'w')) {
    218. 

  218.             fputs($fp, $config);
    219. 

  219.             fclose($fp);
    220. 

  220.             // It's config file, so we set read permission for creator only.
    221. 

  221.             // Should set permission to web user and groups for users used by batch
    222. 

  222.             //@chmod($file, octdec('0600'));
    223. 

  223. 

  224.             return 1;
    225. 

  225.         } else {
    226. 

  226.             dol_syslog("encodedecode_dbpassconf Failed to open conf.php file for writing", LOG_WARNING);
    227. 

  227.             return -1;
    228. 

  228.         }
    229. 

  229.     } else {
    230. 

  230.         dol_syslog("encodedecode_dbpassconf Failed to read conf.php", LOG_ERR);
    231. 

  231.         return -2;
    232. 

  232.     }
    233. 

  233. }
    234. 

  234. 

  235. /**
    236. 

  236.  * Return a generated password using default module
    237. 

  237.  *
    238. 

  238.  * @param		boolean		$generic		true=Create generic password (a MD5 string), false=Use the configured password generation module
    239. 

  239.  * @return		string						New value for password
    240. 

  240.  */
    241. 

  241. function getRandomPassword($generic = false) {
    242. 

  242.     global $db, $conf, $langs, $user;
    243. 

  243. 

  244.     $generated_password = '';
    245. 

  245.     if ($generic)
    246. 

  246.         $generated_password = dol_hash(mt_rand());
    247. 

  247.     else if ($conf->global->USER_PASSWORD_GENERATED) {
    248. 

  248.         $nomclass = "modGeneratePass" . ucfirst($conf->global->USER_PASSWORD_GENERATED);
    249. 

  249.         $nomfichier = $nomclass . ".class.php";
    250. 

  250.         //print DOL_DOCUMENT_ROOT."/core/modules/security/generate/".$nomclass;
    251. 

  251.         require_once(DOL_DOCUMENT_ROOT . "/core/modules/security/generate/" . $nomfichier);
    252. 

  252.         $genhandler = new $nomclass($db, $conf, $langs, $user);
    253. 

  253.         $generated_password = $genhandler->getNewGeneratedPassword();
    254. 

  254.         unset($genhandler);
    255. 

  255.     }
    256. 

  256. 

  257.     return $generated_password;
    258. 

  258. }
    259. 

  259. 

  260. ?>
    261.