PageRenderTime 27ms CodeModel.GetById 31ms RepoModel.GetById 0ms app.codeStats 0ms

/lib/auth.php

https://bitbucket.org/minaco2/pukiwiki
PHP | 228 lines | 159 code | 33 blank | 36 comment | 34 complexity | c5bc071f7e0a2555618165e7de46f546 MD5 | raw file
    

  1. <?php
    2. 

  2. // PukiWiki - Yet another WikiWikiWeb clone
    3. 

  3. // $Id: auth.php,v 1.22 2011/01/25 15:01:01 henoheno Exp $
    4. 

  4. // Copyright (C) 2003-2005, 2007 PukiWiki Developers Team
    5. 

  5. // License: GPL v2 or (at your option) any later version
    6. 

  6. //
    7. 

  7. // Authentication related functions
    8. 

  8. 

  9. define('PKWK_PASSPHRASE_LIMIT_LENGTH', 512);
    10. 

  10. 

  11. // Passwd-auth related ----
    12. 

  12. 

  13. function pkwk_login($pass = '')
    14. 

  14. {
    15. 

  15. 	global $adminpass;
    16. 

  16. 

  17. 	if (! PKWK_READONLY && isset($adminpass) &&
    18. 

  18. 		pkwk_hash_compute($pass, $adminpass) === $adminpass) {
    19. 

  19. 		return TRUE;
    20. 

  20. 	} else {
    21. 

  21. 		sleep(2);       // Blocking brute force attack
    22. 

  22. 		return FALSE;
    23. 

  23. 	}
    24. 

  24. }
    25. 

  25. 

  26. // Compute RFC2307 'userPassword' value, like slappasswd (OpenLDAP)
    27. 

  27. // $phrase : Pass-phrase
    28. 

  28. // $scheme : Specify '{scheme}' or '{scheme}salt'
    29. 

  29. // $prefix : Output with a scheme-prefix or not
    30. 

  30. // $canonical : Correct or Preserve $scheme prefix
    31. 

  31. function pkwk_hash_compute($phrase = '', $scheme = '{x-php-md5}', $prefix = TRUE, $canonical = FALSE)
    32. 

  32. {
    33. 

  33. 	if (! is_string($phrase) || ! is_string($scheme)) return FALSE;
    34. 

  34. 

  35. 	if (strlen($phrase) > PKWK_PASSPHRASE_LIMIT_LENGTH)
    36. 

  36. 		die('pkwk_hash_compute(): malicious message length');
    37. 

  37. 

  38. 	// With a {scheme}salt or not
    39. 

  39. 	$matches = array();
    40. 

  40. 	if (preg_match('/^(\{.+\})(.*)$/', $scheme, $matches)) {
    41. 

  41. 		$scheme = & $matches[1];
    42. 

  42. 		$salt   = & $matches[2];
    43. 

  43. 	} else if ($scheme != '') {
    44. 

  44. 		$scheme  = ''; // Cleartext
    45. 

  45. 		$salt    = '';
    46. 

  46. 	}
    47. 

  47. 

  48. 	// Compute and add a scheme-prefix
    49. 

  49. 	switch (strtolower($scheme)) {
    50. 

  50. 

  51. 	// PHP crypt()
    52. 

  52. 	case '{x-php-crypt}' :
    53. 

  53. 		$hash = ($prefix ? ($canonical ? '{x-php-crypt}' : $scheme) : '') .
    54. 

  54. 			($salt != '' ? crypt($phrase, $salt) : crypt($phrase));
    55. 

  55. 		break;
    56. 

  56. 

  57. 	// PHP md5()
    58. 

  58. 	case '{x-php-md5}'   :
    59. 

  59. 		$hash = ($prefix ? ($canonical ? '{x-php-md5}' : $scheme) : '') .
    60. 

  60. 			md5($phrase);
    61. 

  61. 		break;
    62. 

  62. 

  63. 	// PHP sha1()
    64. 

  64. 	case '{x-php-sha1}'  :
    65. 

  65. 		$hash = ($prefix ? ($canonical ? '{x-php-sha1}' : $scheme) : '') .
    66. 

  66. 			sha1($phrase);
    67. 

  67. 		break;
    68. 

  68. 

  69. 	// LDAP CRYPT
    70. 

  70. 	case '{crypt}'       :
    71. 

  71. 		$hash = ($prefix ? ($canonical ? '{CRYPT}' : $scheme) : '') .
    72. 

  72. 			($salt != '' ? crypt($phrase, $salt) : crypt($phrase));
    73. 

  73. 		break;
    74. 

  74. 

  75. 	// LDAP MD5
    76. 

  76. 	case '{md5}'         :
    77. 

  77. 		$hash = ($prefix ? ($canonical ? '{MD5}' : $scheme) : '') .
    78. 

  78. 			base64_encode(hex2bin(md5($phrase)));
    79. 

  79. 		break;
    80. 

  80. 

  81. 	// LDAP SMD5
    82. 

  82. 	case '{smd5}'        :
    83. 

  83. 		// MD5 Key length = 128bits = 16bytes
    84. 

  84. 		$salt = ($salt != '' ? substr(base64_decode($salt), 16) : substr(crypt(''), -8));
    85. 

  85. 		$hash = ($prefix ? ($canonical ? '{SMD5}' : $scheme) : '') .
    86. 

  86. 			base64_encode(hex2bin(md5($phrase . $salt)) . $salt);
    87. 

  87. 		break;
    88. 

  88. 

  89. 	// LDAP SHA
    90. 

  90. 	case '{sha}'         :
    91. 

  91. 		$hash = ($prefix ? ($canonical ? '{SHA}' : $scheme) : '') .
    92. 

  92. 			base64_encode(hex2bin(sha1($phrase)));
    93. 

  93. 		break;
    94. 

  94. 

  95. 	// LDAP SSHA
    96. 

  96. 	case '{ssha}'        :
    97. 

  97. 		// SHA-1 Key length = 160bits = 20bytes
    98. 

  98. 		$salt = ($salt != '' ? substr(base64_decode($salt), 20) : substr(crypt(''), -8));
    99. 

  99. 		$hash = ($prefix ? ($canonical ? '{SSHA}' : $scheme) : '') .
    100. 

  100. 			base64_encode(hex2bin(sha1($phrase . $salt)) . $salt);
    101. 

  101. 		break;
    102. 

  102. 

  103. 	// LDAP CLEARTEXT and just cleartext
    104. 

  104. 	case '{cleartext}'   : /* FALLTHROUGH */
    105. 

  105. 	case ''              :
    106. 

  106. 		$hash = ($prefix ? ($canonical ? '{CLEARTEXT}' : $scheme) : '') .
    107. 

  107. 			$phrase;
    108. 

  108. 		break;
    109. 

  109. 

  110. 	// Invalid scheme
    111. 

  111. 	default:
    112. 

  112. 		$hash = FALSE;
    113. 

  113. 		break;
    114. 

  114. 	}
    115. 

  115. 

  116. 	return $hash;
    117. 

  117. }
    118. 

  118. 

  119. 

  120. // Basic-auth related ----
    121. 

  121. 

  122. // Check edit-permission
    123. 

  123. function check_editable($page, $auth_flag = TRUE, $exit_flag = TRUE)
    124. 

  124. {
    125. 

  125. 	global $script, $_title_cannotedit, $_msg_unfreeze;
    126. 

  126. 

  127. 	if (edit_auth($page, $auth_flag, $exit_flag) && is_editable($page)) {
    128. 

  128. 		// Editable
    129. 

  129. 		return TRUE;
    130. 

  130. 	} else {
    131. 

  131. 		// Not editable
    132. 

  132. 		if ($exit_flag === FALSE) {
    133. 

  133. 			return FALSE; // Without exit
    134. 

  134. 		} else {
    135. 

  135. 			// With exit
    136. 

  136. 			$body = $title = str_replace('$1',
    137. 

  137. 				htmlsc(strip_bracket($page)), $_title_cannotedit);
    138. 

  138. 			if (! is_cantedit($page) && is_freeze($page)) {
    139. 

  139. 				$body .= '(<a href="' . $script . '?cmd=unfreeze&amp;page=' .
    140. 

  140. 					rawurlencode($page) . '">' . $_msg_unfreeze . '</a>)';
    141. 

  141. 			}
    142. 

  142. 			$page = str_replace('$1', make_search($page), $_title_cannotedit);
    143. 

  143. 			catbody($title, $page, $body);
    144. 

  144. 			exit;
    145. 

  145. 		}
    146. 

  146. 	}
    147. 

  147. }
    148. 

  148. 

  149. // Check read-permission
    150. 

  150. function check_readable($page, $auth_flag = TRUE, $exit_flag = TRUE)
    151. 

  151. {
    152. 

  152. 	return read_auth($page, $auth_flag, $exit_flag);
    153. 

  153. }
    154. 

  154. 

  155. function edit_auth($page, $auth_flag = TRUE, $exit_flag = TRUE)
    156. 

  156. {
    157. 

  157. 	global $edit_auth, $edit_auth_pages, $_title_cannotedit;
    158. 

  158. 	return $edit_auth ?  basic_auth($page, $auth_flag, $exit_flag,
    159. 

  159. 		$edit_auth_pages, $_title_cannotedit) : TRUE;
    160. 

  160. }
    161. 

  161. 

  162. function read_auth($page, $auth_flag = TRUE, $exit_flag = TRUE)
    163. 

  163. {
    164. 

  164. 	global $read_auth, $read_auth_pages, $_title_cannotread;
    165. 

  165. 	return $read_auth ?  basic_auth($page, $auth_flag, $exit_flag,
    166. 

  166. 		$read_auth_pages, $_title_cannotread) : TRUE;
    167. 

  167. }
    168. 

  168. 

  169. // Basic authentication
    170. 

  170. function basic_auth($page, $auth_flag, $exit_flag, $auth_pages, $title_cannot)
    171. 

  171. {
    172. 

  172. 	global $auth_method_type, $auth_users, $_msg_auth;
    173. 

  173. 

  174. 	// Checked by:
    175. 

  175. 	$target_str = '';
    176. 

  176. 	if ($auth_method_type == 'pagename') {
    177. 

  177. 		$target_str = $page; // Page name
    178. 

  178. 	} else if ($auth_method_type == 'contents') {
    179. 

  179. 		$target_str = get_source($page, TRUE, TRUE); // Its contents
    180. 

  180. 	}
    181. 

  181. 

  182. 	$user_list = array();
    183. 

  183. 	foreach($auth_pages as $key=>$val)
    184. 

  184. 		if (preg_match($key, $target_str))
    185. 

  185. 			$user_list = array_merge($user_list, explode(',', $val));
    186. 

  186. 

  187. 	if (empty($user_list)) return TRUE; // No limit
    188. 

  188. 

  189. 	$matches = array();
    190. 

  190. 	if (! isset($_SERVER['PHP_AUTH_USER']) &&
    191. 

  191. 		! isset($_SERVER ['PHP_AUTH_PW']) &&
    192. 

  192. 		isset($_SERVER['HTTP_AUTHORIZATION']) &&
    193. 

  193. 		preg_match('/^Basic (.*)$/', $_SERVER['HTTP_AUTHORIZATION'], $matches))
    194. 

  194. 	{
    195. 

  195. 

  196. 		// Basic-auth with $_SERVER['HTTP_AUTHORIZATION']
    197. 

  197. 		list($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']) =
    198. 

  198. 			explode(':', base64_decode($matches[1]));
    199. 

  199. 	}
    200. 

  200. 

  201. 	if (PKWK_READONLY ||
    202. 

  202. 		! isset($_SERVER['PHP_AUTH_USER']) ||
    203. 

  203. 		! in_array($_SERVER['PHP_AUTH_USER'], $user_list) ||
    204. 

  204. 		! isset($auth_users[$_SERVER['PHP_AUTH_USER']]) ||
    205. 

  205. 		pkwk_hash_compute(
    206. 

  206. 			$_SERVER['PHP_AUTH_PW'],
    207. 

  207. 			$auth_users[$_SERVER['PHP_AUTH_USER']]
    208. 

  208. 			) !== $auth_users[$_SERVER['PHP_AUTH_USER']])
    209. 

  209. 	{
    210. 

  210. 		// Auth failed
    211. 

  211. 		pkwk_common_headers();
    212. 

  212. 		if ($auth_flag) {
    213. 

  213. 			header('WWW-Authenticate: Basic realm="' . $_msg_auth . '"');
    214. 

  214. 			header('HTTP/1.0 401 Unauthorized');
    215. 

  215. 		}
    216. 

  216. 		if ($exit_flag) {
    217. 

  217. 			$body = $title = str_replace('$1',
    218. 

  218. 				htmlsc(strip_bracket($page)), $title_cannot);
    219. 

  219. 			$page = str_replace('$1', make_search($page), $title_cannot);
    220. 

  220. 			catbody($title, $page, $body);
    221. 

  221. 			exit;
    222. 

  222. 		}
    223. 

  223. 		return FALSE;
    224. 

  224. 	} else {
    225. 

  225. 		return TRUE;
    226. 

  226. 	}
    227. 

  227. }
    228. 

  228. ?>
    229. 

  229.