SQL injection attempt
'; $template->footer(); break; } - echo PageUtils::pagediff($paths->cpage['urlname_nons'], $paths->namespace, $id1, $id2); - break; - case "jsres": - die('// ERROR: this section is deprecated and has moved to includes/clientside/static/enano-lib-basic.js.'); - break; - case "rdns": - if(!$session->get_permissions('mod_misc')) die('Go somewhere else for your reverse DNS info!'); - $ip = $_GET['ip']; - $rdns = gethostbyaddr($ip); - if($rdns == $ip) echo 'Unable to get reverse DNS information. Perhaps the DNS server is down or the PTR record no longer exists.'; - else echo $rdns; - break; - case 'acljson': - $parms = ( isset($_POST['acl_params']) ) ? rawurldecode($_POST['acl_params']) : false; - echo PageUtils::acl_json($parms); - break; - case "change_theme": - if ( !isset($_POST['theme_id']) || !isset($_POST['style_id']) ) - { - die('Invalid input'); - } - if ( !preg_match('/^([a-z0-9_-]+)$/i', $_POST['theme_id']) || !preg_match('/^([a-z0-9_-]+)$/i', $_POST['style_id']) ) - { - die('Invalid input'); - } - if ( !file_exists(ENANO_ROOT . '/themes/' . $_POST['theme_id'] . '/css/' . $_POST['style_id'] . '.css') ) - { - die('Can\'t find theme file: ' . ENANO_ROOT . '/themes/' . $_POST['theme_id'] . '/css/' . $_POST['style_id'] . '.css'); - } - if ( !$session->user_logged_in ) - { - die('You must be logged in to change your theme'); - } - // Just in case something slipped through... - $theme_id = $db->escape($_POST['theme_id']); - $style_id = $db->escape($_POST['style_id']); - $e = $db->sql_query('UPDATE ' . table_prefix . "users SET theme='$theme_id', style='$style_id' WHERE user_id=$session->user_id;"); - if ( !$e ) - die( $db->get_error() ); - die('GOOD'); - break; - case 'get_tags': - $json = new Services_JSON(SERVICES_JSON_LOOSE_TYPE); - - $ret = array('tags' => array(), 'user_level' => $session->user_level, 'can_add' => $session->get_permissions('tag_create')); - $q = $db->sql_query('SELECT t.tag_id, t.tag_name, pg.pg_target IS NOT NULL AS used_in_acl, t.user FROM '.table_prefix.'tags AS t - LEFT JOIN '.table_prefix.'page_groups AS pg - ON ( ( pg.pg_type = ' . PAGE_GRP_TAGGED . ' AND pg.pg_target=t.tag_name ) OR ( pg.pg_type IS NULL AND pg.pg_target IS NULL ) ) - WHERE t.page_id=\'' . $db->escape($paths->cpage['urlname_nons']) . '\' AND t.namespace=\'' . $db->escape($paths->namespace) . '\';'); - if ( !$q ) - $db->_die(); - - while ( $row = $db->fetchrow() ) - { - $can_del = true; - - $perm = ( $row['user'] != $session->user_id ) ? - 'tag_delete_other' : - 'tag_delete_own'; - - if ( $row['user'] == 1 && !$session->user_logged_in ) - // anonymous user trying to delete tag (hardcode blacklisted) - $can_del = false; - - if ( !$session->get_permissions($perm) ) - $can_del = false; - - if ( $row['used_in_acl'] == 1 && !$session->get_permissions('edit_acl') && $session->user_level < USER_LEVEL_ADMIN ) - $can_del = false; - - $ret['tags'][] = array( - 'id' => $row['tag_id'], - 'name' => $row['tag_name'], - 'can_del' => $can_del, - 'acl' => ( $row['used_in_acl'] == 1 ) - ); - } - - echo $json->encode($ret); - - break; - case 'addtag': - $json = new Services_JSON(SERVICES_JSON_LOOSE_TYPE); - $resp = array( - 'success' => false, - 'error' => 'No error', - 'can_del' => ( $session->get_permissions('tag_delete_own') && $session->user_logged_in ), - 'in_acl' => false - ); - - // first of course, are we allowed to tag pages? - if ( !$session->get_permissions('tag_create') ) - { - $resp['error'] = 'You are not permitted to tag pages.'; - die($json->encode($resp)); - } - - // sanitize the tag name - $tag = sanitize_tag($_POST['tag']); - $tag = $db->escape($tag); - - if ( strlen($tag) < 2 ) - { - $resp['error'] = 'Tags must consist of at least 2 alphanumeric characters.'; - die($json->encode($resp)); - } - - // check if tag is already on page - $q = $db->sql_query('SELECT 1 FROM '.table_prefix.'tags WHERE page_id=\'' . $db->escape($paths->cpage['urlname_nons']) . '\' AND namespace=\'' . $db->escape($paths->namespace) . '\' AND tag_name=\'' . $tag . '\';'); - if ( !$q ) - $db->_die(); - if ( $db->numrows() > 0 ) - { - $resp['error'] = 'This page already has this tag.'; - die($json->encode($resp)); - } - $db->free_result(); - - // tricky: make sure this tag isn't being used in some page group, and thus adding it could affect page access - $can_edit_acl = ( $session->get_permissions('edit_acl') || $session->user_level >= USER_LEVEL_ADMIN ); - $q = $db->sql_query('SELECT 1 FROM '.table_prefix.'page_groups WHERE pg_type=' . PAGE_GRP_TAGGED . ' AND pg_target=\'' . $tag . '\';'); - if ( !$q ) - $db->_die(); - if ( $db->numrows() > 0 && !$can_edit_acl ) - { - $resp['error'] = 'This tag is used in an ACL page group, and thus can\'t be added to a page by people without administrator privileges.'; - die($json->encode($resp)); - } - $resp['in_acl'] = ( $db->numrows() > 0 ); - $db->free_result(); - - // we're good - $q = $db->sql_query('INSERT INTO '.table_prefix.'tags(tag_name,page_id,namespace,user) VALUES(\'' . $tag . '\', \'' . $db->escape($paths->cpage['urlname_nons']) . '\', \'' . $db->escape($paths->namespace) . '\', ' . $session->user_id . ');'); - if ( !$q ) - $db->_die(); - - $resp['success'] = true; - $resp['tag'] = $tag; - $resp['tag_id'] = $db->insert_id(); - - echo $json->encode($resp); - break; - case 'deltag': - - $tag_id = intval($_POST['tag_id']); - if ( empty($tag_id) ) - die('Invalid tag ID'); - - $q = $db->sql_query('SELECT t.tag_id, t.user, t.page_id, t.namespace, pg.pg_target IS NOT NULL AS used_in_acl FROM '.table_prefix.'tags AS t - LEFT JOIN '.table_prefix.'page_groups AS pg - ON ( pg.pg_id IS NULL OR ( pg.pg_target = t.tag_name AND pg.pg_type = ' . PAGE_GRP_TAGGED . ' ) ) - WHERE t.tag_id=' . $tag_id . ';'); - - if ( !$q ) - $db->_die(); - - if ( $db->numrows() < 1 ) - die('Could not find a tag with that ID'); - - $row = $db->fetchrow(); - $db->free_result(); - - if ( $row['page_id'] == $paths->cpage['urlname_nons'] && $row['namespace'] == $paths->namespace ) - $perms =& $session; - else - $perms = $session->fetch_page_acl($row['page_id'], $row['namespace']); - - $perm = ( $row['user'] != $session->user_id ) ? - 'tag_delete_other' : - 'tag_delete_own'; - - if ( $row['user'] == 1 && !$session->user_logged_in ) - // anonymous user trying to delete tag (hardcode blacklisted) - die('You are not authorized to delete this tag.'); - - if ( !$perms->get_permissions($perm) ) - die('You are not authorized to delete this tag.'); - - if ( $row['used_in_acl'] == 1 && !$perms->get_permissions('edit_acl') && $session->user_level < USER_LEVEL_ADMIN ) - die('You are not authorized to delete this tag.'); - - // We're good - $q = $db->sql_query('DELETE FROM '.table_prefix.'tags WHERE tag_id = ' . $tag_id . ';'); - if ( !$q ) - $db->_die(); - - echo 'success'; - - break; - case 'ping': - echo 'pong'; - break; - default: - die('Hacking attempt'); - break; - } - +connect(); + + // should be connected now + $name = (isset($_GET['name'])) ? $db->escape($_GET['name']) : false; + if ( !$name ) + { + die('userlist = new Array(); errorstring=\'Invalid URI\''); + } + $q = $db->sql_query('SELECT username,user_id FROM '.table_prefix.'users WHERE lcase(username) LIKE lcase(\'%'.$name.'%\');'); + if ( !$q ) + { + die('userlist = new Array(); errorstring=\'MySQL error selecting username data: '.addslashes(mysql_error()).'\''); + } + if($db->numrows() < 1) + { + die('userlist = new Array(); errorstring=\'No usernames found\';'); + } + echo 'var errorstring = false; userlist = new Array();'; + $i = 0; + while($r = $db->fetchrow()) + { + echo "userlist[$i] = '".addslashes($r['username'])."'; "; + $i++; + } + $db->free_result(); + + // all done! :-) + $db->close(); + exit; + } + + require('includes/common.php'); + + global $db, $session, $paths, $template, $plugins; // Common objects + if(!isset($_GET['_mode'])) die('This script cannot be accessed directly.'); + + $_ob = ''; + + switch($_GET['_mode']) { + case "checkusername": + echo PageUtils::checkusername($_GET['name']); + break; + case "getsource": + $p = ( isset($_GET['pagepass']) ) ? $_GET['pagepass'] : false; + echo PageUtils::getsource($paths->page, $p); + break; + case "getpage": + // echo PageUtils::getpage($paths->page, false, ( (isset($_GET['oldid'])) ? $_GET['oldid'] : false )); + $revision_id = ( (isset($_GET['oldid'])) ? intval($_GET['oldid']) : 0 ); + $page = new PageProcessor( $paths->cpage['urlname_nons'], $paths->namespace, $revision_id ); + + $pagepass = ( isset($_REQUEST['pagepass']) ) ? $_REQUEST['pagepass'] : ''; + $page->password = $pagepass; + + $page->send(); + break; + case "savepage": + $summ = ( isset($_POST['summary']) ) ? $_POST['summary'] : ''; + $minor = isset($_POST['minor']); + $e = PageUtils::savepage($paths->cpage['urlname_nons'], $paths->namespace, $_POST['text'], $summ, $minor); + if($e=='good') + { + $page = new PageProcessor($paths->cpage['urlname_nons'], $paths->namespace); + $page->send(); + } + else + { + echo 'Error saving the page: '.$e.'
'; + } + break; + case "protect": + echo PageUtils::protect($paths->cpage['urlname_nons'], $paths->namespace, (int)$_POST['level'], $_POST['reason']); + break; + case "histlist": + echo PageUtils::histlist($paths->cpage['urlname_nons'], $paths->namespace); + break; + case "rollback": + echo PageUtils::rollback( (int)$_GET['id'] ); + break; + case "comments": + $comments = new Comments($paths->cpage['urlname_nons'], $paths->namespace); + if ( isset($_POST['data']) ) + { + $comments->process_json($_POST['data']); + } + else + { + die('{ "mode" : "error", "error" : "No input" }'); + } + break; + case "rename": + echo PageUtils::rename($paths->cpage['urlname_nons'], $paths->namespace, $_POST['newtitle']); + break; + case "flushlogs": + echo PageUtils::flushlogs($paths->cpage['urlname_nons'], $paths->namespace); + break; + case "deletepage": + $reason = ( isset($_POST['reason']) ) ? $_POST['reason'] : false; + if ( empty($reason) ) + die('Please enter a reason for deleting this page.'); + echo PageUtils::deletepage($paths->cpage['urlname_nons'], $paths->namespace, $reason); + break; + case "delvote": + echo PageUtils::delvote($paths->cpage['urlname_nons'], $paths->namespace); + break; + case "resetdelvotes": + echo PageUtils::resetdelvotes($paths->cpage['urlname_nons'], $paths->namespace); + break; + case "getstyles": + echo PageUtils::getstyles($_GET['id']); + break; + case "catedit": + echo PageUtils::catedit($paths->cpage['urlname_nons'], $paths->namespace); + break; + case "catsave": + echo PageUtils::catsave($paths->cpage['urlname_nons'], $paths->namespace, $_POST); + break; + case "setwikimode": + echo PageUtils::setwikimode($paths->cpage['urlname_nons'], $paths->namespace, (int)$_GET['mode']); + break; + case "setpass": + echo PageUtils::setpass($paths->cpage['urlname_nons'], $paths->namespace, $_POST['password']); + break; + case "fillusername": + break; + case "fillpagename": + $name = (isset($_GET['name'])) ? $_GET['name'] : false; + if(!$name) die('userlist = new Array(); namelist = new Array(); errorstring=\'Invalid URI\''); + $nd = RenderMan::strToPageID($name); + $c = 0; + $u = Array(); + $n = Array(); + + $name = sanitize_page_id($name); + $name = str_replace('_', ' ', $name); + + for($i=0;$iSQL injection attempt
'; $template->footer(); break; } + echo PageUtils::pagediff($paths->cpage['urlname_nons'], $paths->namespace, $id1, $id2); + break; + case "jsres": + die('// ERROR: this section is deprecated and has moved to includes/clientside/static/enano-lib-basic.js.'); + break; + case "rdns": + if(!$session->get_permissions('mod_misc')) die('Go somewhere else for your reverse DNS info!'); + $ip = $_GET['ip']; + $rdns = gethostbyaddr($ip); + if($rdns == $ip) echo 'Unable to get reverse DNS information. Perhaps the DNS server is down or the PTR record no longer exists.'; + else echo $rdns; + break; + case 'acljson': + $parms = ( isset($_POST['acl_params']) ) ? rawurldecode($_POST['acl_params']) : false; + echo PageUtils::acl_json($parms); + break; + case "change_theme": + if ( !isset($_POST['theme_id']) || !isset($_POST['style_id']) ) + { + die('Invalid input'); + } + if ( !preg_match('/^([a-z0-9_-]+)$/i', $_POST['theme_id']) || !preg_match('/^([a-z0-9_-]+)$/i', $_POST['style_id']) ) + { + die('Invalid input'); + } + if ( !file_exists(ENANO_ROOT . '/themes/' . $_POST['theme_id'] . '/css/' . $_POST['style_id'] . '.css') ) + { + die('Can\'t find theme file: ' . ENANO_ROOT . '/themes/' . $_POST['theme_id'] . '/css/' . $_POST['style_id'] . '.css'); + } + if ( !$session->user_logged_in ) + { + die('You must be logged in to change your theme'); + } + // Just in case something slipped through... + $theme_id = $db->escape($_POST['theme_id']); + $style_id = $db->escape($_POST['style_id']); + $e = $db->sql_query('UPDATE ' . table_prefix . "users SET theme='$theme_id', style='$style_id' WHERE user_id=$session->user_id;"); + if ( !$e ) + die( $db->get_error() ); + die('GOOD'); + break; + case 'get_tags': + $json = new Services_JSON(SERVICES_JSON_LOOSE_TYPE); + + $ret = array('tags' => array(), 'user_level' => $session->user_level, 'can_add' => $session->get_permissions('tag_create')); + $q = $db->sql_query('SELECT t.tag_id, t.tag_name, pg.pg_target IS NOT NULL AS used_in_acl, t.user FROM '.table_prefix.'tags AS t + LEFT JOIN '.table_prefix.'page_groups AS pg + ON ( ( pg.pg_type = ' . PAGE_GRP_TAGGED . ' AND pg.pg_target=t.tag_name ) OR ( pg.pg_type IS NULL AND pg.pg_target IS NULL ) ) + WHERE t.page_id=\'' . $db->escape($paths->cpage['urlname_nons']) . '\' AND t.namespace=\'' . $db->escape($paths->namespace) . '\';'); + if ( !$q ) + $db->_die(); + + while ( $row = $db->fetchrow() ) + { + $can_del = true; + + $perm = ( $row['user'] != $session->user_id ) ? + 'tag_delete_other' : + 'tag_delete_own'; + + if ( $row['user'] == 1 && !$session->user_logged_in ) + // anonymous user trying to delete tag (hardcode blacklisted) + $can_del = false; + + if ( !$session->get_permissions($perm) ) + $can_del = false; + + if ( $row['used_in_acl'] == 1 && !$session->get_permissions('edit_acl') && $session->user_level < USER_LEVEL_ADMIN ) + $can_del = false; + + $ret['tags'][] = array( + 'id' => $row['tag_id'], + 'name' => $row['tag_name'], + 'can_del' => $can_del, + 'acl' => ( $row['used_in_acl'] == 1 ) + ); + } + + echo $json->encode($ret); + + break; + case 'addtag': + $json = new Services_JSON(SERVICES_JSON_LOOSE_TYPE); + $resp = array( + 'success' => false, + 'error' => 'No error', + 'can_del' => ( $session->get_permissions('tag_delete_own') && $session->user_logged_in ), + 'in_acl' => false + ); + + // first of course, are we allowed to tag pages? + if ( !$session->get_permissions('tag_create') ) + { + $resp['error'] = 'You are not permitted to tag pages.'; + die($json->encode($resp)); + } + + // sanitize the tag name + $tag = sanitize_tag($_POST['tag']); + $tag = $db->escape($tag); + + if ( strlen($tag) < 2 ) + { + $resp['error'] = 'Tags must consist of at least 2 alphanumeric characters.'; + die($json->encode($resp)); + } + + // check if tag is already on page + $q = $db->sql_query('SELECT 1 FROM '.table_prefix.'tags WHERE page_id=\'' . $db->escape($paths->cpage['urlname_nons']) . '\' AND namespace=\'' . $db->escape($paths->namespace) . '\' AND tag_name=\'' . $tag . '\';'); + if ( !$q ) + $db->_die(); + if ( $db->numrows() > 0 ) + { + $resp['error'] = 'This page already has this tag.'; + die($json->encode($resp)); + } + $db->free_result(); + + // tricky: make sure this tag isn't being used in some page group, and thus adding it could affect page access + $can_edit_acl = ( $session->get_permissions('edit_acl') || $session->user_level >= USER_LEVEL_ADMIN ); + $q = $db->sql_query('SELECT 1 FROM '.table_prefix.'page_groups WHERE pg_type=' . PAGE_GRP_TAGGED . ' AND pg_target=\'' . $tag . '\';'); + if ( !$q ) + $db->_die(); + if ( $db->numrows() > 0 && !$can_edit_acl ) + { + $resp['error'] = 'This tag is used in an ACL page group, and thus can\'t be added to a page by people without administrator privileges.'; + die($json->encode($resp)); + } + $resp['in_acl'] = ( $db->numrows() > 0 ); + $db->free_result(); + + // we're good + $q = $db->sql_query('INSERT INTO '.table_prefix.'tags(tag_name,page_id,namespace,user) VALUES(\'' . $tag . '\', \'' . $db->escape($paths->cpage['urlname_nons']) . '\', \'' . $db->escape($paths->namespace) . '\', ' . $session->user_id . ');'); + if ( !$q ) + $db->_die(); + + $resp['success'] = true; + $resp['tag'] = $tag; + $resp['tag_id'] = $db->insert_id(); + + echo $json->encode($resp); + break; + case 'deltag': + + $tag_id = intval($_POST['tag_id']); + if ( empty($tag_id) ) + die('Invalid tag ID'); + + $q = $db->sql_query('SELECT t.tag_id, t.user, t.page_id, t.namespace, pg.pg_target IS NOT NULL AS used_in_acl FROM '.table_prefix.'tags AS t + LEFT JOIN '.table_prefix.'page_groups AS pg + ON ( pg.pg_id IS NULL OR ( pg.pg_target = t.tag_name AND pg.pg_type = ' . PAGE_GRP_TAGGED . ' ) ) + WHERE t.tag_id=' . $tag_id . ';'); + + if ( !$q ) + $db->_die(); + + if ( $db->numrows() < 1 ) + die('Could not find a tag with that ID'); + + $row = $db->fetchrow(); + $db->free_result(); + + if ( $row['page_id'] == $paths->cpage['urlname_nons'] && $row['namespace'] == $paths->namespace ) + $perms =& $session; + else + $perms = $session->fetch_page_acl($row['page_id'], $row['namespace']); + + $perm = ( $row['user'] != $session->user_id ) ? + 'tag_delete_other' : + 'tag_delete_own'; + + if ( $row['user'] == 1 && !$session->user_logged_in ) + // anonymous user trying to delete tag (hardcode blacklisted) + die('You are not authorized to delete this tag.'); + + if ( !$perms->get_permissions($perm) ) + die('You are not authorized to delete this tag.'); + + if ( $row['used_in_acl'] == 1 && !$perms->get_permissions('edit_acl') && $session->user_level < USER_LEVEL_ADMIN ) + die('You are not authorized to delete this tag.'); + + // We're good + $q = $db->sql_query('DELETE FROM '.table_prefix.'tags WHERE tag_id = ' . $tag_id . ';'); + if ( !$q ) + $db->_die(); + + echo 'success'; + + break; + case 'ping': + echo 'pong'; + break; + default: + die('Hacking attempt'); + break; + } + ?> \ No newline at end of file diff -r 8e2fffc5c622 -r 473cc747022a includes/captcha.php --- a/includes/captcha.php Tue Oct 23 12:30:08 2007 -0400 +++ b/includes/captcha.php Fri Oct 26 19:28:54 2007 -0400 @@ -1,7 +1,8 @@For security reasons, Enano mandates that high-privilege logins last only 15 minutes, with the time being reset each time a page is loaded (or, more specifically, each time the session API is started). The consequence of this is that if you are performing an action in the administration panel that takes more than 15 minutes, your session may be terminated. The keep-alive feature attempts to relieve this by sending a "ping" to the server every 10 minutes.
Please note that keep-alive state is determined by a cookie. Thus, if you log out and then back in as a different administrator, keep-alive will use the same setting that was used when you were logged in as the first administrative user. In the same way, if you log into the administration panel under your account from another computer, keep-alive will be set to "off".
For more information:
Overview of Enano'+"'"+'s security model'); } +function ajaxShowCaptcha(code) +{ + var mydiv = document.createElement('div'); + mydiv.style.backgroundColor = '#FFFFFF'; + mydiv.style.padding = '10px'; + mydiv.style.position = 'absolute'; + mydiv.style.top = '0px'; + mydiv.id = 'autoCaptcha'; + var img = document.createElement('img'); + img.onload = function() + { + if ( this.loaded ) + return true; + var mydiv = document.getElementById('autoCaptcha'); + var width = getWidth(); + var divw = $(mydiv).Width(); + var left = ( width / 2 ) - ( divw / 2 ); + mydiv.style.left = left + 'px'; + fly_in_top(mydiv, false, true); + this.loaded = true; + }; + img.src = makeUrlNS('Special', 'Captcha/' + code); + img.onclick = function() { this.src = this.src + '/a'; }; + img.style.cursor = 'pointer'; + mydiv.appendChild(img); + domObjChangeOpac(0, mydiv); + var body = document.getElementsByTagName('body')[0]; + body.appendChild(mydiv); +} + diff -r 8e2fffc5c622 -r 473cc747022a includes/clientside/static/misc.js --- a/includes/clientside/static/misc.js Tue Oct 23 12:30:08 2007 -0400 +++ b/includes/clientside/static/misc.js Fri Oct 26 19:28:54 2007 -0400 @@ -302,6 +302,51 @@ var ajax_auth_mb_cache = false; var ajax_auth_level_cache = false; var ajax_auth_error_string = false; +var ajax_auth_show_captcha = false; + +function ajaxAuthErrorToString($data) +{ + var $errstring = $data.error; + // this was literally copied straight from the PHP code. + switch($data.error) + { + case 'key_not_found': + $errstring = 'Enano couldn\'t look up the encryption key used to encrypt your password. This most often happens if a cache rotation occurred during your login attempt, or if you refreshed the login page.'; + break; + case 'key_wrong_length': + $errstring = 'The encryption key was the wrong length.'; + break; + case 'too_big_for_britches': + $errstring = 'You are trying to authenticate at a level that your user account does not permit.'; + break; + case 'invalid_credentials': + $errstring = 'You have entered an invalid username or password. Please enter your login details again.'; + if ( $data.lockout_policy == 'lockout' ) + { + $errstring += ' You have used up '+$data['lockout_fails']+' out of '+$data['lockout_threshold']+' login attempts. After you have used up all '+$data['lockout_threshold']+' login attempts, you will be locked out from logging in for '+$data['lockout_duration']+' minutes.'; + } + else if ( $data.lockout_policy == 'captcha' ) + { + $errstring += ' You have used up '+$data['lockout_fails']+' out of '+$data['lockout_threshold']+' login attempts. After you have used up all '+$data['lockout_threshold']+' login attempts, you will have to enter a visual confirmation code before logging in, effective for '+$data['lockout_duration']+' minutes.'; + } + break; + case 'backend_fail': + $errstring = 'You entered the right credentials and everything was validated, but for some reason Enano couldn\'t register your session. This is an internal problem with the site and you are encouraged to contact site administration.'; + break; + case 'locked_out': + $attempts = parseInt($data['lockout_fails']); + if ( $attempts > $data['lockout_threshold']) + $attempts = $data['lockout_threshold']; + $time_rem = $data.time_rem; + $s = ( $time_rem == 1 ) ? '' : 's'; + $errstring = "You have used up all "+$data['lockout_threshold']+" allowed login attempts. Please wait "+$time_rem+" minute"+$s+" before attempting to log in again"; + if ( $data['lockout_policy'] == 'captcha' ) + $errstring += ', or enter the visual confirmation code shown above in the appropriate box'; + $errstring += '.'; + break; + } + return $errstring; +} function ajaxPromptAdminAuth(call_on_ok, level) { @@ -320,6 +365,17 @@ var title = ( level > USER_LEVEL_MEMBER ) ? 'You are requesting a sensitive operation.' : 'Please enter your username and password to continue.'; ajax_auth_mb_cache = new messagebox(MB_OKCANCEL|MB_ICONLOCK, title, loading_win); ajax_auth_mb_cache.onbeforeclick['OK'] = ajaxValidateLogin; + ajax_auth_mb_cache.onbeforeclick['Cancel'] = function() + { + if ( document.getElementById('autoCaptcha') ) + { + var to = fly_out_top(document.getElementById('autoCaptcha'), false, true); + setTimeout(function() { + var d = document.getElementById('autoCaptcha'); + d.parentNode.removeChild(d); + }, to); + } + } ajaxAuthLoginInnerSetup(); } @@ -335,6 +391,20 @@ return false; } response = parseJSON(response); + var disable_controls = false; + if ( response.locked_out && !ajax_auth_error_string ) + { + response.error = 'locked_out'; + ajax_auth_error_string = ajaxAuthErrorToString(response); + if ( response.lockout_policy == 'captcha' ) + { + ajax_auth_show_captcha = response.captcha; + } + else + { + disable_controls = true; + } + } var level = ajax_auth_level_cache; var form_html = ''; var shown_error = false; @@ -348,14 +418,28 @@ { form_html += 'Please re-enter your login details, to verify your identity.
'; } + if ( ajax_auth_show_captcha ) + { + var captcha_html = ' \ +
| Username: | \ + | Username: | \ | ||||
| Password: | \ + | Password: | \ | ||||
| \
Trouble logging in? Try the full login form. '; @@ -383,8 +467,21 @@ { $('ajaxlogin_user').object.focus(); } - $('ajaxlogin_pass').object.onblur = function(e) { if ( !shift ) $('messageBox').object.nextSibling.firstChild.focus(); }; - $('ajaxlogin_pass').object.onkeypress = function(e) { if ( !e && IE ) return true; if ( e.keyCode == 13 ) $('messageBox').object.nextSibling.firstChild.click(); }; + if ( ajax_auth_show_captcha ) + { + $('ajaxlogin_captcha_code').object.onblur = function(e) { if ( !shift ) $('messageBox').object.nextSibling.firstChild.focus(); }; + $('ajaxlogin_captcha_code').object.onkeypress = function(e) { if ( !e && IE ) return true; if ( e.keyCode == 13 ) $('messageBox').object.nextSibling.firstChild.click(); }; + } + else + { + $('ajaxlogin_pass').object.onblur = function(e) { if ( !shift ) $('messageBox').object.nextSibling.firstChild.focus(); }; + $('ajaxlogin_pass').object.onkeypress = function(e) { if ( !e && IE ) return true; if ( e.keyCode == 13 ) $('messageBox').object.nextSibling.firstChild.click(); }; + } + if ( disable_controls ) + { + var panel = document.getElementById('messageBoxButtons'); + panel.firstChild.disabled = true; + } /* ## This causes the background image to disappear under Fx 2 if ( shown_error ) @@ -398,6 +495,11 @@ fader.start(); } */ + if ( ajax_auth_show_captcha ) + { + ajaxShowCaptcha(ajax_auth_show_captcha); + ajax_auth_show_captcha = false; + } } }); } @@ -412,6 +514,15 @@ password = document.getElementById('ajaxlogin_pass').value; auth_enabled = false; + if ( document.getElementById('autoCaptcha') ) + { + var to = fly_out_top(document.getElementById('autoCaptcha'), false, true); + setTimeout(function() { + var d = document.getElementById('autoCaptcha'); + d.parentNode.removeChild(d); + }, to); + } + disableJSONExts(); // @@ -467,6 +578,12 @@ 'level' : ajax_auth_level_cache }; + if ( document.getElementById('ajaxlogin_captcha_hash') ) + { + json_data.captcha_hash = document.getElementById('ajaxlogin_captcha_hash').value; + json_data.captcha_code = document.getElementById('ajaxlogin_captcha_code').value; + } + json_data = toJSONString(json_data); json_data = encodeURIComponent(json_data); @@ -509,18 +626,23 @@ } break; case 'error': - if ( response.error == 'The username and/or password is incorrect.' ) + if ( response.data.error == 'invalid_credentials' || response.data.error == 'locked_out' ) { - ajax_auth_error_string = response.error; + ajax_auth_error_string = ajaxAuthErrorToString(response.data); mb_current_obj.updateContent(''); document.getElementById('messageBox').style.backgroundColor = '#C0C0C0'; var mb_parent = document.getElementById('messageBox').parentNode; new Spry.Effect.Shake(mb_parent, {duration: 1500}).start(); setTimeout("document.getElementById('messageBox').style.backgroundColor = '#FFF'; ajaxAuthLoginInnerSetup();", 2500); + + if ( response.data.lockout_policy == 'captcha' && response.data.error == 'locked_out' ) + { + ajax_auth_show_captcha = response.captcha; + } } else { - alert(response.error); + ajax_auth_error_string = ajaxAuthErrorToString(response.data); ajaxAuthLoginInnerSetup(); } break; diff -r 8e2fffc5c622 -r 473cc747022a includes/comment.php --- a/includes/comment.php Tue Oct 23 12:30:08 2007 -0400 +++ b/includes/comment.php Fri Oct 26 19:28:54 2007 -0400 @@ -2,7 +2,7 @@ /* * Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between - * Version 1.0.2 (Coblynau) + * Version 1.1.1 * Copyright (C) 2006-2007 Dan Fuhry * * This program is Free Software; you can redistribute and/or modify it under the terms of the GNU General Public License diff -r 8e2fffc5c622 -r 473cc747022a includes/common.php --- a/includes/common.php Tue Oct 23 12:30:08 2007 -0400 +++ b/includes/common.php Fri Oct 26 19:28:54 2007 -0400 @@ -2,7 +2,7 @@ /* * Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between - * Version 1.0.2 (Coblynau) + * Version 1.1.1 * Copyright (C) 2006-2007 Dan Fuhry * * This program is Free Software; you can redistribute and/or modify it under the terms of the GNU General Public License @@ -23,7 +23,7 @@ exit; } -$version = '1.0.2'; +$version = '1.1.1'; function microtime_float() { @@ -68,9 +68,6 @@ if ( file_exists( ENANO_ROOT . '/_nightly.php') ) require(ENANO_ROOT.'/_nightly.php'); -// List of scheduled tasks -$cron_tasks = array(); - // Start including files. LOTS of files. Yeah! require_once(ENANO_ROOT.'/includes/constants.php'); dc_here('Enano CMS '.$version.' (dev) - debug window Powered by debugConsole'); diff -r 8e2fffc5c622 -r 473cc747022a includes/constants.php --- a/includes/constants.php Tue Oct 23 12:30:08 2007 -0400 +++ b/includes/constants.php Fri Oct 26 19:28:54 2007 -0400 @@ -2,7 +2,7 @@ /* * Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between - * Version 1.0.2 (Coblynau) + * Version 1.1.1 * Copyright (C) 2006-2007 Dan Fuhry * constants.php - important defines used Enano-wide * @@ -70,7 +70,7 @@ define('MAX_PMS_PER_BATCH', 7); // The maximum number of users that users can send PMs to in one go; restriction does not apply to users with mod_misc rights define('SEARCH_RESULTS_PER_PAGE', 10); define('MYSQL_MAX_PACKET_SIZE', 1048576); // 1MB; this is the default in MySQL 4.x I think -define('SEARCH_MODE', 'FULLTEXT'); // Can be FULLTEXT or BUILTIN +define('SEARCH_MODE', 'BUILTIN'); // Can be FULLTEXT or BUILTIN // Sidebar diff -r 8e2fffc5c622 -r 473cc747022a includes/dbal.php --- a/includes/dbal.php Tue Oct 23 12:30:08 2007 -0400 +++ b/includes/dbal.php Fri Oct 26 19:28:54 2007 -0400 @@ -2,7 +2,7 @@ /* * Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between - * Version 1.0.2 (Coblynau) + * Version 1.1.1 * Copyright (C) 2006-2007 Dan Fuhry * * This program is Free Software; you can redistribute and/or modify it under the terms of the GNU General Public License diff -r 8e2fffc5c622 -r 473cc747022a includes/email.php --- a/includes/email.php Tue Oct 23 12:30:08 2007 -0400 +++ b/includes/email.php Fri Oct 26 19:28:54 2007 -0400 @@ -2,7 +2,7 @@ /* * Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between - * Version 1.0.2 (Coblynau) + * Version 1.1.1 * Copyright (C) 2006-2007 Dan Fuhry * * This program is Free Software; you can redistribute and/or modify it under the terms of the GNU General Public License diff -r 8e2fffc5c622 -r 473cc747022a includes/functions.php --- a/includes/functions.php Tue Oct 23 12:30:08 2007 -0400 +++ b/includes/functions.php Fri Oct 26 19:28:54 2007 -0400 @@ -2796,7 +2796,7 @@ $strip_tags = implode('|', $strip_tags); // Strip out the tags and replace with placeholders - preg_match_all("#<($strip_tags)([ ]+.*?)?>(.*?)#is", $html, $matches); + preg_match_all("#<($strip_tags)(.*?)>(.*?)#is", $html, $matches); $seed = md5(microtime() . mt_rand()); // Random value used for placeholders for ($i = 0;$i < sizeof($matches[1]); $i++) { @@ -2804,7 +2804,7 @@ } // Optimize (but don't obfuscate) Javascript - preg_match_all('/ ' . "-----------------------------------------------------------------------------\n" . htmlspecialchars($js) . ''); - // for line optimization, explode it $particles = explode("\n", $js); @@ -3168,20 +3166,6 @@ return $score; } -/** - * Registers a task that will be run every X hours. Scheduled tasks should always be scheduled at runtime - they are not stored in the DB. - * @param string Function name to call, or array(object, string method) - * @param int Interval between runs, in hours. Defaults to 24. - */ - -function register_cron_task($func, $hour_interval = 24) -{ - global $cron_tasks; - if ( !isset($cron_tasks[$hour_interval]) ) - $cron_tasks[$hour_interval] = array(); - $cron_tasks[$hour_interval][] = $func; -} - //die(' Original: 01010101010100101010100101010101011010'."\nProcessed: ".uncompress_bitfield(compress_bitfield('01010101010100101010100101010101011010')).'');
?>
diff -r 8e2fffc5c622 -r 473cc747022a includes/graphs.php
--- a/includes/graphs.php Tue Oct 23 12:30:08 2007 -0400
+++ b/includes/graphs.php Fri Oct 26 19:28:54 2007 -0400
@@ -2,7 +2,7 @@
/*
* Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between
- * Version 1.0.2 (Coblynau)
+ * Version 1.1.1
* Copyright (C) 2006-2007 Dan Fuhry
*
* This program is Free Software; you can redistribute and/or modify it under the terms of the GNU General Public License
diff -r 8e2fffc5c622 -r 473cc747022a includes/js-compressor.php
--- a/includes/js-compressor.php Tue Oct 23 12:30:08 2007 -0400
+++ b/includes/js-compressor.php Fri Oct 26 19:28:54 2007 -0400
@@ -2,7 +2,7 @@
/*
* Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between
- * Version 1.0.2 (Coblynau)
+ * Version 1.1.1
* Copyright (C) 2006-2007 Dan Fuhry
* Javascript compression library - used to compact the client-side Javascript code (all 72KB of it!) to save some bandwidth
*
diff -r 8e2fffc5c622 -r 473cc747022a includes/pageprocess.php
--- a/includes/pageprocess.php Tue Oct 23 12:30:08 2007 -0400
+++ b/includes/pageprocess.php Fri Oct 26 19:28:54 2007 -0400
@@ -2,7 +2,7 @@
/*
* Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between
- * Version 1.0.2 (Coblynau)
+ * Version 1.1.1
* pageprocess.php - intelligent retrieval of pages
* Copyright (C) 2006-2007 Dan Fuhry
*
diff -r 8e2fffc5c622 -r 473cc747022a includes/pageutils.php
--- a/includes/pageutils.php Tue Oct 23 12:30:08 2007 -0400
+++ b/includes/pageutils.php Fri Oct 26 19:28:54 2007 -0400
@@ -1,7 +1,8 @@
'face-plain.png',
':joke:' => 'face-plain.png',
']:->' => 'face-devil-grin.png',
- ']:->' => 'face-devil-grin.png',
':kiss:' => 'face-kiss.png',
':-P' => 'face-tongue-out.png',
':P' => 'face-tongue-out.png',
diff -r 8e2fffc5c622 -r 473cc747022a includes/search.php
--- a/includes/search.php Tue Oct 23 12:30:08 2007 -0400
+++ b/includes/search.php Fri Oct 26 19:28:54 2007 -0400
@@ -2,7 +2,7 @@
/*
* Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between
- * Version 1.0.2 (Coblynau)
+ * Version 1.1.1
* Copyright (C) 2006-2007 Dan Fuhry
* search.php - algorithm used to search pages
*
diff -r 8e2fffc5c622 -r 473cc747022a includes/sessions.php
--- a/includes/sessions.php Tue Oct 23 12:30:08 2007 -0400
+++ b/includes/sessions.php Fri Oct 26 19:28:54 2007 -0400
@@ -547,14 +547,55 @@
* @param string $aes_key The MD5 hash of the encryption key, hex-encoded
* @param string $challenge The 256-bit MD5 challenge string - first 128 bits should be the hash, the last 128 should be the challenge salt
* @param int $level The privilege level we're authenticating for, defaults to 0
+ * @param array $captcha_hash Optional. If we're locked out and the lockout policy is captcha, this should be the identifier for the code.
+ * @param array $captcha_code Optional. If we're locked out and the lockout policy is captcha, this should be the code the user entered.
* @return string 'success' on success, or error string on failure
*/
- function login_with_crypto($username, $aes_data, $aes_key, $challenge, $level = USER_LEVEL_MEMBER)
+ function login_with_crypto($username, $aes_data, $aes_key, $challenge, $level = USER_LEVEL_MEMBER, $captcha_hash = false, $captcha_code = false)
{
global $db, $session, $paths, $template, $plugins; // Common objects
$privcache = $this->private_key;
+
+ if ( !defined('IN_ENANO_INSTALL') )
+ {
+ // Lockout stuff
+ $threshold = ( $_ = getConfig('lockout_threshold') ) ? intval($_) : 5;
+ $duration = ( $_ = getConfig('lockout_duration') ) ? intval($_) : 15;
+ // convert to minutes
+ $duration = $duration * 60;
+ $policy = ( $x = getConfig('lockout_policy') && in_array(getConfig('lockout_policy'), array('lockout', 'disable', 'captcha')) ) ? getConfig('lockout_policy') : 'lockout';
+ if ( $policy == 'captcha' && $captcha_hash && $captcha_code )
+ {
+ // policy is captcha -- check if it's correct, and if so, bypass lockout check
+ $real_code = $this->get_captcha($captcha_hash);
+ }
+ if ( $policy != 'disable' && !( $policy == 'captcha' && isset($real_code) && $real_code == $captcha_code ) )
+ {
+ $ipaddr = $db->escape($_SERVER['REMOTE_ADDR']);
+ $timestamp_cutoff = time() - $duration;
+ $q = $this->sql('SELECT timestamp FROM '.table_prefix.'lockout WHERE timestamp > ' . $timestamp_cutoff . ' AND ipaddr = \'' . $ipaddr . '\' ORDER BY timestamp DESC;');
+ $fails = $db->numrows();
+ if ( $fails >= $threshold )
+ {
+ // ooh boy, somebody's in trouble ;-)
+ $row = $db->fetchrow();
+ $db->free_result();
+ return array(
+ 'success' => false,
+ 'error' => 'locked_out',
+ 'lockout_threshold' => $threshold,
+ 'lockout_duration' => ( $duration / 60 ),
+ 'lockout_fails' => $fails,
+ 'lockout_policy' => $policy,
+ 'time_rem' => ( $duration / 60 ) - round( ( time() - $row['timestamp'] ) / 60 ),
+ 'lockout_last_time' => $row['timestamp']
+ );
+ }
+ $db->free_result();
+ }
+ }
// Instanciate the Rijndael encryption object
$aes = new AESCrypt(AES_BITS, AES_BLOCKSIZE);
@@ -563,13 +604,19 @@
$aes_key = $this->fetch_public_key($aes_key);
if(!$aes_key)
- return 'Couldn\'t look up public key "'.$aes_key.'" for decryption';
+ return array(
+ 'success' => false,
+ 'error' => 'key_not_found'
+ );
// Convert the key to a binary string
$bin_key = hexdecode($aes_key);
if(strlen($bin_key) != AES_BITS / 8)
- return 'The decryption key is the wrong length';
+ return array(
+ 'success' => false,
+ 'error' => 'key_wrong_length'
+ );
// Decrypt our password
$password = $aes->decrypt($aes_data, $bin_key, ENC_HEX);
@@ -590,7 +637,29 @@
$this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary,page_text) VALUES(\'security\', \'admin_auth_bad\', '.time().', \''.date('d M Y h:i a').'\', \''.$db->escape($username).'\', \''.$db->escape($_SERVER['REMOTE_ADDR']).'\', ' . intval($level) . ')');
else
$this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary) VALUES(\'security\', \'auth_bad\', '.time().', \''.date('d M Y h:i a').'\', \''.$db->escape($username).'\', \''.$db->escape($_SERVER['REMOTE_ADDR']).'\')');
- return "The username and/or password is incorrect.";
+
+ if ( $policy != 'disable' && !defined('IN_ENANO_INSTALL') )
+ {
+ $ipaddr = $db->escape($_SERVER['REMOTE_ADDR']);
+ // increment fail count
+ $this->sql('INSERT INTO '.table_prefix.'lockout(ipaddr, timestamp, action) VALUES(\'' . $ipaddr . '\', UNIX_TIMESTAMP(), \'credential\');');
+ $fails++;
+ // ooh boy, somebody's in trouble ;-)
+ return array(
+ 'success' => false,
+ 'error' => ( $fails >= $threshold ) ? 'locked_out' : 'invalid_credentials',
+ 'lockout_threshold' => $threshold,
+ 'lockout_duration' => ( $duration / 60 ),
+ 'lockout_fails' => $fails,
+ 'time_rem' => ( $duration / 60 ),
+ 'lockout_policy' => $policy
+ );
+ }
+
+ return array(
+ 'success' => false,
+ 'error' => 'invalid_credentials'
+ );
}
$row = $db->fetchrow();
@@ -641,7 +710,10 @@
if($success)
{
if($level > $row['user_level'])
- return 'You are not authorized for this level of access.';
+ return array(
+ 'success' => false,
+ 'error' => 'too_big_for_britches'
+ );
$sess = $this->register_session(intval($row['user_id']), $username, $password, $level);
if($sess)
@@ -661,10 +733,15 @@
{
eval($cmd);
}
- return 'success';
+ return array(
+ 'success' => true
+ );
}
else
- return 'Your login credentials were correct, but an internal error occurred while registering the session key in the database.';
+ return array(
+ 'success' => false,
+ 'error' => 'backend_fail'
+ );
}
else
{
@@ -673,7 +750,28 @@
else
$this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary) VALUES(\'security\', \'auth_bad\', '.time().', \''.date('d M Y h:i a').'\', \''.$db->escape($username).'\', \''.$db->escape($_SERVER['REMOTE_ADDR']).'\')');
- return 'The username and/or password is incorrect.';
+ // Do we also need to increment the lockout countdown?
+ if ( $policy != 'disable' && !defined('IN_ENANO_INSTALL') )
+ {
+ $ipaddr = $db->escape($_SERVER['REMOTE_ADDR']);
+ // increment fail count
+ $this->sql('INSERT INTO '.table_prefix.'lockout(ipaddr, timestamp, action) VALUES(\'' . $ipaddr . '\', UNIX_TIMESTAMP(), \'credential\');');
+ $fails++;
+ return array(
+ 'success' => false,
+ 'error' => ( $fails >= $threshold ) ? 'locked_out' : 'invalid_credentials',
+ 'lockout_threshold' => $threshold,
+ 'lockout_duration' => ( $duration / 60 ),
+ 'lockout_fails' => $fails,
+ 'time_rem' => ( $duration / 60 ),
+ 'lockout_policy' => $policy
+ );
+ }
+
+ return array(
+ 'success' => false,
+ 'error' => 'invalid_credentials'
+ );
}
}
@@ -699,6 +797,45 @@
return $this->login_compat($username, $pass_hashed, $level);
}
+ if ( !defined('IN_ENANO_INSTALL') )
+ {
+ // Lockout stuff
+ $threshold = ( $_ = getConfig('lockout_threshold') ) ? intval($_) : 5;
+ $duration = ( $_ = getConfig('lockout_duration') ) ? intval($_) : 15;
+ // convert to minutes
+ $duration = $duration * 60;
+ $policy = ( $x = getConfig('lockout_policy') && in_array(getConfig('lockout_policy'), array('lockout', 'disable', 'captcha')) ) ? getConfig('lockout_policy') : 'lockout';
+ if ( $policy == 'captcha' && $captcha_hash && $captcha_code )
+ {
+ // policy is captcha -- check if it's correct, and if so, bypass lockout check
+ $real_code = $this->get_captcha($captcha_hash);
+ }
+ if ( $policy != 'disable' && !( $policy == 'captcha' && isset($real_code) && $real_code == $captcha_code ) )
+ {
+ $ipaddr = $db->escape($_SERVER['REMOTE_ADDR']);
+ $timestamp_cutoff = time() - $duration;
+ $q = $this->sql('SELECT timestamp FROM '.table_prefix.'lockout WHERE timestamp > ' . $timestamp_cutoff . ' AND ipaddr = \'' . $ipaddr . '\' ORDER BY timestamp DESC;');
+ $fails = $db->numrows();
+ if ( $fails > $threshold )
+ {
+ // ooh boy, somebody's in trouble ;-)
+ $row = $db->fetchrow();
+ $db->free_result();
+ return array(
+ 'success' => false,
+ 'error' => 'locked_out',
+ 'lockout_threshold' => $threshold,
+ 'lockout_duration' => ( $duration / 60 ),
+ 'lockout_fails' => $fails,
+ 'lockout_policy' => $policy,
+ 'time_rem' => $duration - round( ( time() - $row['timestamp'] ) / 60 ),
+ 'lockout_last_time' => $row['timestamp']
+ );
+ }
+ $db->free_result();
+ }
+ }
+
// Instanciate the Rijndael encryption object
$aes = new AESCrypt(AES_BITS, AES_BLOCKSIZE);
@@ -707,14 +844,35 @@
// Retrieve the real password from the database
$this->sql('SELECT password,old_encryption,user_id,user_level,temp_password,temp_password_time FROM '.table_prefix.'users WHERE lcase(username)=\''.$this->prepare_text(strtolower($username)).'\';');
- if ( $db->numrows() < 1 )
+ if($db->numrows() < 1)
{
// This wasn't logged in <1.0.2, dunno how it slipped through
if($level > USER_LEVEL_MEMBER)
$this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary,page_text) VALUES(\'security\', \'admin_auth_bad\', '.time().', \''.date('d M Y h:i a').'\', \''.$db->escape($username).'\', \''.$db->escape($_SERVER['REMOTE_ADDR']).'\', ' . intval($level) . ')');
else
$this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary) VALUES(\'security\', \'auth_bad\', '.time().', \''.date('d M Y h:i a').'\', \''.$db->escape($username).'\', \''.$db->escape($_SERVER['REMOTE_ADDR']).'\')');
- return "The username and/or password is incorrect.";
+
+ // Do we also need to increment the lockout countdown?
+ if ( $policy != 'disable' && !defined('IN_ENANO_INSTALL') )
+ {
+ $ipaddr = $db->escape($_SERVER['REMOTE_ADDR']);
+ // increment fail count
+ $this->sql('INSERT INTO '.table_prefix.'lockout(ipaddr, timestamp, action) VALUES(\'' . $ipaddr . '\', UNIX_TIMESTAMP(), \'credential\');');
+ $fails++;
+ return array(
+ 'success' => false,
+ 'error' => ( $fails >= $threshold ) ? 'locked_out' : 'invalid_credentials',
+ 'lockout_threshold' => $threshold,
+ 'lockout_duration' => ( $duration / 60 ),
+ 'lockout_fails' => $fails,
+ 'lockout_policy' => $policy
+ );
+ }
+
+ return array(
+ 'success' => false,
+ 'error' => 'invalid_credentials'
+ );
}
$row = $db->fetchrow();
@@ -764,7 +922,10 @@
if($success)
{
if((int)$level > (int)$row['user_level'])
- return 'You are not authorized for this level of access.';
+ return array(
+ 'success' => false,
+ 'error' => 'too_big_for_britches'
+ );
$sess = $this->register_session(intval($row['user_id']), $username, $real_pass, $level);
if($sess)
{
@@ -779,10 +940,15 @@
eval($cmd);
}
- return 'success';
+ return array(
+ 'success' => true
+ );
}
else
- return 'Your login credentials were correct, but an internal error occured while registering the session key in the database.';
+ return array(
+ 'success' => false,
+ 'error' => 'backend_fail'
+ );
}
else
{
@@ -791,7 +957,27 @@
else
$this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary) VALUES(\'security\', \'auth_bad\', '.time().', \''.date('d M Y h:i a').'\', \''.$db->escape($username).'\', \''.$db->escape($_SERVER['REMOTE_ADDR']).'\')');
- return 'The username and/or password is incorrect.';
+ // Do we also need to increment the lockout countdown?
+ if ( $policy != 'disable' && !defined('IN_ENANO_INSTALL') )
+ {
+ $ipaddr = $db->escape($_SERVER['REMOTE_ADDR']);
+ // increment fail count
+ $this->sql('INSERT INTO '.table_prefix.'lockout(ipaddr, timestamp, action) VALUES(\'' . $ipaddr . '\', UNIX_TIMESTAMP(), \'credential\');');
+ $fails++;
+ return array(
+ 'success' => false,
+ 'error' => ( $fails >= $threshold ) ? 'locked_out' : 'invalid_credentials',
+ 'lockout_threshold' => $threshold,
+ 'lockout_duration' => ( $duration / 60 ),
+ 'lockout_fails' => $fails,
+ 'lockout_policy' => $policy
+ );
+ }
+
+ return array(
+ 'success' => false,
+ 'error' => 'invalid_credentials'
+ );
}
}
diff -r 8e2fffc5c622 -r 473cc747022a includes/stats.php
--- a/includes/stats.php Tue Oct 23 12:30:08 2007 -0400
+++ b/includes/stats.php Fri Oct 26 19:28:54 2007 -0400
@@ -1,7 +1,8 @@
setHook('template_compile_logic_keyword');
- foreach ( $code as $cmd )
- {
- eval($cmd);
- }
+ // If-else-end
+ $text = preg_replace('/(.*?)(.*?)/is', '\'; if ( $this->tpl_bool[\'\\1\'] ) { echo \'\\2\'; } else { echo \'\\3\'; } echo \'', $text);
+
+ // If-end
+ $text = preg_replace('/(.*?)/is', '\'; if ( $this->tpl_bool[\'\\1\'] ) { echo \'\\2\'; } echo \'', $text);
- $keywords = implode('|', $keywords);
+ // If not-else-end
+ $text = preg_replace('/(.*?)(.*?)/is', '\'; if ( !$this->tpl_bool[\'\\1\'] ) { echo \'\\2\'; } else { echo \'\\3\'; } echo \'', $text);
- // Matches
- // 1 2 3 4 56 7 8
- $regexp = '/()(.*)(()(.*))?()/isU';
-
- /*
- The way this works is: match all blocks using the standard form with a different keyword in the block each time,
- and replace them with appropriate PHP logic. Plugin-extensible now. :-)
+ // If not-end
+ $text = preg_replace('/(.*?)/is', '\'; if ( !$this->tpl_bool[\'\\1\'] ) { echo \'\\2\'; } echo \'', $text);
- The while-loop is to bypass what is apparently a PCRE bug. It's hackish but it works. Properly written plugins should only need
- to compile templates (using this method) once for each time the template file is changed.
- */
- while ( preg_match($regexp, $text) )
- {
- preg_match_all($regexp, $text, $matches);
- for ( $i = 0; $i < count($matches[0]); $i++ )
- {
- $start_tag =& $matches[1][$i];
- $type =& $matches[2][$i];
- $test =& $matches[3][$i];
- $particle_true =& $matches[4][$i];
- $else_tag =& $matches[6][$i];
- $particle_else =& $matches[7][$i];
- $end_tag =& $matches[8][$i];
-
- switch($type)
- {
- case 'BEGIN':
- $cond = "isset(\$this->tpl_bool['$test']) && \$this->tpl_bool['$test']";
- break;
- case 'BEGINNOT':
- $cond = "!isset(\$this->tpl_bool['$test']) || ( isset(\$this->tpl_bool['$test']) && !\$this->tpl_bool['$test'] )";
- break;
- case 'IFPLUGIN':
- $cond = "getConfig('plugin_$test') == '1'";
- break;
- case 'IFSET':
- $cond = "isset(\$this->tpl_strings['$test'])";
- break;
- default:
- $code = $plugins->setHook('template_compile_logic_cond');
- foreach ( $code as $cmd )
- {
- eval($cmd);
- }
- break;
- }
-
- if ( !isset($cond) || ( isset($cond) && !is_string($cond) ) )
- continue;
-
- $tag_complete = <<<?php\n" . htmlspecialchars($text."\n\n".print_r($matches,true)) . "\n\n?>"); + // If plugin loaded-else-end + $text = preg_replace('/(.*?)(.*?)/is', '\'; if ( getConfig(\'plugin_\\1\') == \'1\' ) { echo \'\\2\'; } else { echo \'\\3\'; } echo \'', $text); + + // If plugin loaded-end + $text = preg_replace('/(.*?)/is', '\'; if ( getConfig(\'plugin_\\1\') == \'1\' ) { echo \'\\2\'; } echo \'', $text); // // Data substitution/variables @@ -1089,8 +1029,6 @@ $text = str_replace_once($tag, "'; $match echo '", $text); } - // echo(' ' . htmlspecialchars($text) . ''); - return $text; } @@ -1473,7 +1411,7 @@ function username_field($name, $value = false) { $randomid = md5( time() . microtime() . mt_rand() ); - $text = 'The Enano installer has found a Enano installation in this directory. You MUST delete config.php if you want to re-install Enano. If you wish to upgrade an older Enano installation to this version, please use the upgrade script. '); - exit; -} - -define('IN_ENANO_INSTALL', 'true'); - -define('ENANO_VERSION', '1.0.2'); -// In beta versions, define ENANO_BETA_VERSION here - -if(!defined('scriptPath')) { - $sp = dirname($_SERVER['REQUEST_URI']); - if($sp == '/' || $sp == '\\') $sp = ''; - define('scriptPath', $sp); -} - -if(!defined('contentPath')) { - $sp = dirname($_SERVER['REQUEST_URI']); - if($sp == '/' || $sp == '\\') $sp = ''; - define('contentPath', $sp); -} -global $_starttime, $this_page, $sideinfo; -$_starttime = microtime(true); - -// Determine directory (special case for development servers) -if ( strpos(__FILE__, '/repo/') && file_exists('.enanodev') ) -{ - $filename = str_replace('/repo/', '/', __FILE__); -} -else -{ - $filename = __FILE__; -} - -define('ENANO_ROOT', dirname($filename)); - -function is_page($p) -{ - return true; -} - -require('includes/wikiformat.php'); -require('includes/constants.php'); -require('includes/rijndael.php'); -require('includes/functions.php'); - -strip_magic_quotes_gpc(); - -//die('Key size: ' . AES_BITS . 'Block size: ' . AES_BLOCKSIZE); - -if(!function_exists('wikiFormat')) -{ - function wikiFormat($message, $filter_links = true) - { - $wiki = & Text_Wiki::singleton('Mediawiki'); - $wiki->setRenderConf('Xhtml', 'code', 'css_filename', 'codefilename'); - $wiki->setRenderConf('Xhtml', 'wikilink', 'view_url', contentPath); - $result = $wiki->transform($message, 'Xhtml'); - - // HTML fixes - $result = preg_replace('# ([\s]*?)<\/p>#is', '', $result);
- $result = preg_replace('# $desc | $extended_desc  $desc | $extended_desc  This option allows you to control whether anything between the standard <?php and ?> tags will be treated as - PHP code by Enano. If this option is enabled, and members of the Administrators group use these tags, Enano will - execute that code when the page is loaded. There are obvious potential security implications here, which should - be carefully considered before enabling this option. -If you are the only administrator of this site, or if you have a high level of trust for those will be administering - the site with you, you should enable this to allow extreme customization of pages. -Leave this option off if you are at all concerned about security – if your account is compromised and PHP embedding - is enabled, an attacker can run arbitrary code on your server! Enabling this will also allow administrators to - embed Javascript and arbitrary HTML and CSS. -If you don\'t have experience coding in PHP, you can safely disable this option. You may change this at any time - using the ACL editor by selecting the Administrators group and This Entire Website under the scope selection. '; - break; - default: - $title = 'Invalid topic'; - $content = 'Invalid help topic.'; - break; - } - echo <<{$title}- {$content} -- Close window - - - -EOF; - exit; - break; - default: - break; -} - -$template = new template_nodb(); -$template->load_theme('oxygen', 'bleu', false); - -$modestrings = Array( - 'welcome' => 'Welcome', - 'license' => 'License Agreement', - 'sysreqs' => 'Server requirements', - 'database'=> 'Database information', - 'website' => 'Website configuration', - 'login' => 'Administration login', - 'confirm' => 'Confirm installation', - 'install' => 'Database installation', - 'finish' => 'Installation complete' - ); - -$sideinfo = ''; -$vars = $template->extract_vars('elements.tpl'); -$p = $template->makeParserText($vars['sidebar_button']); -foreach ( $modestrings as $id => $str ) -{ - if ( $_GET['mode'] == $id ) - { - $flags = 'style="font-weight: bold; text-decoration: underline;"'; - $this_page = $str; - } - else - { - $flags = ''; - } - $p->assign_vars(Array( - 'HREF' => '#', - 'FLAGS' => $flags . ' onclick="return false;"', - 'TEXT' => $str - )); - $sideinfo .= $p->run(); -} - -$template->init_vars(); - -if(isset($_GET['mode']) && $_GET['mode'] == 'css') -{ - header('Content-type: text/css'); - echo $template->get_css(); - exit; -} - -$template->header(); -if(!isset($_GET['mode'])) $_GET['mode'] = 'license'; -switch($_GET['mode']) -{ - default: - case 'welcome': - ?> -
- ';
- }
- ?>
-
-
-
- ![[ Enano CMS Project logo ]](images/enano-artwork/installer-greeting-blue.png)
- Welcome to Enano-version 1.0.2 – stable
- You are about to install a NIGHTLY BUILD of Enano. | |||||
- ';
- run_test('return false;', 'Some scalebacks were made due to your server configuration.', 'Enano has detected that some of the features or configuration settings on your server are not optimal for the best behavior and/or performance for Enano. As a result, certain features or enhancements that are part of Enano have been disabled to prevent further errors. You have seen those "fatal error" notices that spew from PHP, haven\'t you?
Fatal error: call to undefined function wannahokaloogie() in file '.__FILE__.' on line '.__LINE__.'', true); - echo '
Fatal error: call to undefined function wannahokaloogie() in file '.__FILE__.' on line '.__LINE__.'', true); - echo '
Now we need some information that will allow Enano to contact your database server. Enano uses MySQL as a data storage backend, - and we need to have access to a MySQL server in order to continue.
-If you do not have access to a MySQL server, and you are using your own server, you can download MySQL for free from - MySQL.com. Please note that, like Enano, MySQL is licensed under the GNU GPL. - If you need to modify MySQL and then distribute your modifications, you must either distribute them under the terms of the GPL - or purchase a proprietary license.
- MySQL login information for this virtual appliance:Database hostname: localhost
Database login: username "enano", password: "clurichaun" (without quotes)
Database name: enano_www1'; - } - ?> - - restart the installation.'; - $template->footer(); - exit; - } - unset($_POST['_cont']); - ?> - - - restart the installation.'; - $template->footer(); - exit; - } - unset($_POST['_cont']); - require('config.php'); - $aes = new AESCrypt(AES_BITS, AES_BLOCKSIZE); - if ( isset($crypto_key) ) - { - $cryptkey = $crypto_key; - } - if(!isset($cryptkey) || ( isset($cryptkey) && strlen($cryptkey) != AES_BITS / 4) ) - { - $cryptkey = $aes->gen_readymade_key(); - $handle = @fopen(ENANO_ROOT.'/config.php', 'w'); - if(!$handle) - { - echo '
ERROR: Cannot open config.php for writing - exiting!
'; - $template->footer(); - exit; - } - fwrite($handle, ''); - fclose($handle); - } - ?> - - - - restart the installation.'; - $template->footer(); - exit; - } - unset($_POST['_cont']); - ?> - - restart the installation.'; - $template->footer(); - exit; - } - switch($_POST['urlscheme']) - { - case "ugly": - default: - $cp = scriptPath.'/index.php?title='; - break; - case "short": - $cp = scriptPath.'/index.php/'; - break; - case "tiny": - $cp = scriptPath.'/'; - break; - } - function err($t) { global $template; echo $t; $template->footer(); exit; } - - echo 'Connecting to MySQL...'; - if($_POST['db_root_user'] != '') - { - $conn = mysql_connect($_POST['db_host'], $_POST['db_root_user'], $_POST['db_root_pass']); - if(!$conn) err('Error connecting to MySQL: '.mysql_error()); - $q = mysql_query('USE '.$_POST['db_name']); - if(!$q) - { - $q = mysql_query('CREATE DATABASE '.$_POST['db_name']); - if(!$q) err('Error initializing database: '.mysql_error()); - } - $q = mysql_query('GRANT ALL PRIVILEGES ON '.$_POST['db_name'].'.* TO \''.$_POST['db_user'].'\'@\'localhost\' IDENTIFIED BY \''.$_POST['db_pass'].'\' WITH GRANT OPTION;'); - if(!$q) err('Could not create the user account'); - $q = mysql_query('GRANT ALL PRIVILEGES ON '.$_POST['db_name'].'.* TO \''.$_POST['db_user'].'\'@\'%\' IDENTIFIED BY \''.$_POST['db_pass'].'\' WITH GRANT OPTION;'); - if(!$q) err('Could not create the user account'); - mysql_close($conn); - } - $conn = mysql_connect($_POST['db_host'], $_POST['db_user'], $_POST['db_pass']); - if(!$conn) err('Error connecting to MySQL: '.mysql_error()); - $q = mysql_query('USE '.$_POST['db_name']); - if(!$q) err('Error selecting database: '.mysql_error()); - echo 'done!'; - - // Are we supposed to drop any existing tables? If so, do it now - if(isset($_POST['drop_tables'])) - { - echo 'Dropping existing Enano tables...'; - // Our list of tables included in Enano - $tables = Array( 'mdg_categories', 'mdg_comments', 'mdg_config', 'mdg_logs', 'mdg_page_text', 'mdg_session_keys', 'mdg_pages', 'mdg_users', 'mdg_users_extra', 'mdg_themes', 'mdg_buddies', 'mdg_banlist', 'mdg_files', 'mdg_privmsgs', 'mdg_sidebar', 'mdg_hits', 'mdg_search_index', 'mdg_groups', 'mdg_group_members', 'mdg_acl', 'mdg_search_cache', 'mdg_tags', 'mdg_page_groups', 'mdg_page_group_members' ); - $tables = implode(', ', $tables); - $tables = str_replace('mdg_', $_POST['table_prefix'], $tables); - $query_of_death = 'DROP TABLE '.$tables.';'; - mysql_query($query_of_death); // We won't check for errors here because if this operation fails it probably means the tables didn't exist - echo 'done!
'; - } - - $cacheonoff = is_writable(ENANO_ROOT.'/cache/') ? '1' : '0'; - - echo 'Decrypting administration password...'; - - $aes = new AESCrypt(AES_BITS, AES_BLOCKSIZE); - - if ( !empty($_POST['crypt_data']) ) - { - require('config.php'); - if ( !isset($cryptkey) ) - { - echo 'failed!
Cannot get the key from config.php'; - break; - } - $key = hexdecode($cryptkey); - - $dec = $aes->decrypt($_POST['crypt_data'], $key, ENC_HEX); - - } - else - { - $dec = $_POST['admin_pass']; - } - echo 'done!
Generating '.AES_BITS.'-bit AES private key...'; - $privkey = $aes->gen_readymade_key(); - $pkba = hexdecode($privkey); - $encpass = $aes->encrypt($dec, $pkba, ENC_HEX); - - echo 'done!
Preparing for schema execution...'; - $schema = file_get_contents('schema.sql'); - $schema = str_replace('{{SITE_NAME}}', mysql_real_escape_string($_POST['sitename'] ), $schema); - $schema = str_replace('{{SITE_DESC}}', mysql_real_escape_string($_POST['sitedesc'] ), $schema); - $schema = str_replace('{{COPYRIGHT}}', mysql_real_escape_string($_POST['copyright'] ), $schema); - $schema = str_replace('{{ADMIN_USER}}', mysql_real_escape_string($_POST['admin_user'] ), $schema); - $schema = str_replace('{{ADMIN_PASS}}', mysql_real_escape_string($encpass ), $schema); - $schema = str_replace('{{ADMIN_EMAIL}}', mysql_real_escape_string($_POST['admin_email']), $schema); - $schema = str_replace('{{ENABLE_CACHE}}', mysql_real_escape_string($cacheonoff ), $schema); - $schema = str_replace('{{REAL_NAME}}', '', $schema); - $schema = str_replace('{{TABLE_PREFIX}}', $_POST['table_prefix'], $schema); - $schema = str_replace('{{VERSION}}', ENANO_VERSION, $schema); - $schema = str_replace('{{ADMIN_EMBED_PHP}}', $_POST['admin_embed_php'], $schema); - // Not anymore!! :-D - // $schema = str_replace('{{BETA_VERSION}}', ENANO_BETA_VERSION, $schema); - - if(isset($_POST['wiki_mode'])) - { - $schema = str_replace('{{WIKI_MODE}}', '1', $schema); - } - else - { - $schema = str_replace('{{WIKI_MODE}}', '0', $schema); - } - - // Build an array of queries - $schema = explode("\n", $schema); - - foreach ( $schema as $i => $sql ) - { - $query =& $schema[$i]; - $t = trim($query); - if ( empty($t) || preg_match('/^(\#|--)/i', $t) ) - { - unset($schema[$i]); - unset($query); - } - } - - $schema = array_values($schema); - $schema = implode("\n", $schema); - $schema = explode(";\n", $schema); - - foreach ( $schema as $i => $sql ) - { - $query =& $schema[$i]; - if ( substr($query, ( strlen($query) - 1 ), 1 ) != ';' ) - { - $query .= ';'; - } - } - - // echo '
' . htmlspecialchars(print_r($schema, true)) . ''; - // break; - - echo 'done!
Executing schema.sql...'; - - // OK, do the loop, baby!!! - foreach($schema as $q) - { - $r = mysql_query($q, $conn); - if(!$r) err('Error during mainstream installation: '.mysql_error()); - } - - echo 'done!
Writing configuration files...'; - if($_POST['urlscheme']=='tiny') - { - $ht = fopen(ENANO_ROOT.'/.htaccess', 'a+'); - if(!$ht) err('Error opening file .htaccess for writing'); - fwrite($ht, ' -RewriteEngine on -RewriteCond %{REQUEST_FILENAME} !-d -RewriteCond %{REQUEST_FILENAME} !-f -RewriteRule ^(.+) '.scriptPath.'/index.php?title=$1 [L,QSA] -RewriteRule \.(php|html|gif|jpg|png|css|js)$ - [L] -'); - fclose($ht); - } - - $config_file = ''; - - $cf_handle = fopen(ENANO_ROOT.'/config.php', 'w'); - if(!$cf_handle) err('Couldn\'t open file config.php for writing'); - fwrite($cf_handle, $config_file); - fclose($cf_handle); - - echo 'done!
Starting the Enano API...'; - - $template_bak = $template; - - // Get Enano loaded - $_GET['title'] = 'Main_Page'; - require('includes/common.php'); - - // We need to be logged in (with admin rights) before logs can be flushed - $session->login_without_crypto($_POST['admin_user'], $dec, false); - - // Now that login cookies are set, initialize the session manager and ACLs - $session->start(); - $paths->init(); - - unset($template); - $template =& $template_bak; - - echo 'done!
Initializing logs...'; - - $q = $db->sql_query('INSERT INTO ' . $_POST['table_prefix'] . 'logs(log_type,action,time_id,date_string,author,page_text,edit_summary) VALUES(\'security\', \'install_enano\', ' . time() . ', \'' . date('d M Y h:i a') . '\', \'' . mysql_real_escape_string($_POST['admin_user']) . '\', \'' . mysql_real_escape_string(ENANO_VERSION) . '\', \'' . mysql_real_escape_string($_SERVER['REMOTE_ADDR']) . '\');', $conn); - if ( !$q ) - err('Error setting up logs: '.$db->get_error()); - - if ( !$session->get_permissions('clear_logs') ) - { - echo '
Error: session manager won\'t permit flushing logs, these is a bug.'; - break; - } - - // unset($session); - // $session = new sessionManager(); - // $session->start(); - - PageUtils::flushlogs('Main_Page', 'Article'); - - echo 'done!
Installation of Enano is complete.
Review any warnings above, and then click here to finish the installation.'; - - // echo ''; - - break; - case "finish": - echo '
Congratulations!
-You have finished installing Enano on this server.
-Now what?
-Click the link below to see the main page for your website. Where to go from here:
--
-
- The first thing you should do is log into your site using the Log in link on the sidebar. -
- Go into the Administration panel, expand General, and click General Configuration. There you will be able to configure some basic information about your site. -
- Visit the Enano Plugin Gallery to download and use plugins on your site. -
- Periodically create a backup of your database and filesystem, in case something goes wrong. This should be done at least once a week – more for wiki-based sites. -
- Hire some moderators, to help you keep rowdy users tame. -
- Tell the Enano team what you think. -
- Spread the word about Enano by adding a link to the Enano homepage on your sidebar! You can enable this option in the General Configuration section of the administration panel. -
If you wish to upgrade an older Enano installation to this version, please use the upgrade script.
'); + exit; +} + +define('IN_ENANO_INSTALL', 'true'); + +define('ENANO_VERSION', '1.1.1'); +// In beta versions, define ENANO_BETA_VERSION here + +if(!defined('scriptPath')) { + $sp = dirname($_SERVER['REQUEST_URI']); + if($sp == '/' || $sp == '\\') $sp = ''; + define('scriptPath', $sp); +} + +if(!defined('contentPath')) { + $sp = dirname($_SERVER['REQUEST_URI']); + if($sp == '/' || $sp == '\\') $sp = ''; + define('contentPath', $sp); +} +global $_starttime, $this_page, $sideinfo; +$_starttime = microtime(true); + +// Determine directory (special case for development servers) +if ( strpos(__FILE__, '/repo/') && file_exists('.enanodev') ) +{ + $filename = str_replace('/repo/', '/', __FILE__); +} +else +{ + $filename = __FILE__; +} + +define('ENANO_ROOT', dirname($filename)); + +function is_page($p) +{ + return true; +} + +require('includes/wikiformat.php'); +require('includes/constants.php'); +require('includes/rijndael.php'); +require('includes/functions.php'); + +strip_magic_quotes_gpc(); + +//die('Key size: ' . AES_BITS . 'Block size: ' . AES_BLOCKSIZE); + +if(!function_exists('wikiFormat')) +{ + function wikiFormat($message, $filter_links = true) + { + $wiki = & Text_Wiki::singleton('Mediawiki'); + $wiki->setRenderConf('Xhtml', 'code', 'css_filename', 'codefilename'); + $wiki->setRenderConf('Xhtml', 'wikilink', 'view_url', contentPath); + $result = $wiki->transform($message, 'Xhtml'); + + // HTML fixes + $result = preg_replace('#
([\s]*?)<\/p>#is', '', $result);
+ $result = preg_replace('#
([\s]*?)$desc 
$extended_desc
$extended_desc
This option allows you to control whether anything between the standard <?php and ?> tags will be treated as + PHP code by Enano. If this option is enabled, and members of the Administrators group use these tags, Enano will + execute that code when the page is loaded. There are obvious potential security implications here, which should + be carefully considered before enabling this option.
+If you are the only administrator of this site, or if you have a high level of trust for those will be administering + the site with you, you should enable this to allow extreme customization of pages.
+Leave this option off if you are at all concerned about security – if your account is compromised and PHP embedding + is enabled, an attacker can run arbitrary code on your server! Enabling this will also allow administrators to + embed Javascript and arbitrary HTML and CSS.
+If you don\'t have experience coding in PHP, you can safely disable this option. You may change this at any time + using the ACL editor by selecting the Administrators group and This Entire Website under the scope selection.
'; + break; + default: + $title = 'Invalid topic'; + $content = 'Invalid help topic.'; + break; + } + echo <<{$title}
+ {$content} ++ Close window +
+ + +EOF; + exit; + break; + default: + break; +} + +$template = new template_nodb(); +$template->load_theme('stpatty', 'shamrock', false); + +$modestrings = Array( + 'welcome' => 'Welcome', + 'license' => 'License Agreement', + 'sysreqs' => 'Server requirements', + 'database'=> 'Database information', + 'website' => 'Website configuration', + 'login' => 'Administration login', + 'confirm' => 'Confirm installation', + 'install' => 'Database installation', + 'finish' => 'Installation complete' + ); + +$sideinfo = ''; +$vars = $template->extract_vars('elements.tpl'); +$p = $template->makeParserText($vars['sidebar_button']); +foreach ( $modestrings as $id => $str ) +{ + if ( $_GET['mode'] == $id ) + { + $flags = 'style="font-weight: bold; text-decoration: underline;"'; + $this_page = $str; + } + else + { + $flags = ''; + } + $p->assign_vars(Array( + 'HREF' => '#', + 'FLAGS' => $flags . ' onclick="return false;"', + 'TEXT' => $str + )); + $sideinfo .= $p->run(); +} + +$template->init_vars(); + +if(isset($_GET['mode']) && $_GET['mode'] == 'css') +{ + header('Content-type: text/css'); + echo $template->get_css(); + exit; +} + +$template->header(); +if(!isset($_GET['mode'])) $_GET['mode'] = 'license'; +switch($_GET['mode']) +{ + default: + case 'welcome': + ?> +
+ ![[ Enano CMS Project logo ]](images/enano-artwork/installer-greeting-green.png)
+
Nightly builds are NOT upgradeable and may contain serious flaws, security problems, or extraneous debugging information. Installing this version of Enano on a production site is NOT recommended.
';
+ }
+ ?>
+
+
+
+
+ Welcome to Enano
+version 1.1.1 – unstable
+ You are about to install a NIGHTLY BUILD of Enano.Nightly builds are NOT upgradeable and may contain serious flaws, security problems, or extraneous debugging information. Installing this version of Enano on a production site is NOT recommended.
Welcome to the Enano installer.
+Thank you for choosing Enano as your CMS. You've selected the finest in design, the strongest in security, and the latest in Web 2.0 toys. Trust us, you'll like it.
+To get started, please read and accept the following license agreement. You've probably seen it before.
+
+
+ GNU General Public License
+Declaration of license usage
+Enano is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
+This program is distributed in the hope that it will be useful, but without any warranty; without even the implied warranty of merchantability or fitness for a particular purpose. See the GNU General Public License (below) for more details.
+By clicking the button below or otherwise continuing the installation, you indicate your acceptance of this license agreement.
+Human-readable version
+Enano is distributed under certain licensing terms that we believe make it of the greatest possible use to the public. The license we distribute it under, the GNU General Public License, provides certain terms and conditions that, rather than limit your use of Enano, allow you to get the most out of it. If you would like to read the full text, it can be found below. Here is a human-readable version that we think is a little easier to understand.
+-
+
- You may to run Enano for any purpose. +
- You may study how Enano works and adapt it to your needs. +
- You may redistribute copies so you can help your neighbor. +
- You may improve Enano and release your improvements to the public, so that the whole community benefits. +
You may exercise the freedoms specified here provided that you comply with the express conditions of this license. The principal conditions are:
+-
+
- You must conspicuously and appropriately publish on each copy distributed an appropriate copyright notice and disclaimer of warranty and keep intact all the notices that refer to this License and to the absence of any warranty; and give any other recipients of Enano a copy of the GNU General Public License along with Enano. Any translation of the GNU General Public License must be accompanied by the GNU General Public License. +
- If you modify your copy or copies of Enano or any portion of it, or develop a program based upon it, you may distribute the resulting work provided you do so under the GNU General Public License. Any translation of the GNU General Public License must be accompanied by the GNU General Public License. +
- If you copy or distribute Enano, you must accompany it with the complete corresponding machine-readable source code or with a written offer, valid for at least three years, to furnish the complete corresponding machine-readable source code. +
Disclaimer: The above text is not a license. It is simply a handy reference for understanding the Legal Code (the full license) – it is a human-readable expression of some of its key terms. Think of it as the user-friendly interface to the Legal Code beneath. The above text itself has no legal value, and its contents do not appear in the actual license.
Text copied from the Creative Commons GPL Deed page
Notice for prerelease versions
+This version of Enano is designed only for testing and evaluation purposes. It is not yet completely stable, and should not be used on production websites. As with any Enano version, Dan Fuhry and the Enano team cannot be responsible for any damage, physical or otherwise, to any property as a result of the use of Enano. While security is a number one priority, sometimes things slip through.
+ +Lawyer-readable version
+ +
+
+
+
+ Checking your server
+Enano has several requirements that must be met before it can be installed. If all is good then note any warnings and click Continue below.
+
+ ';
+ run_test('return false;', 'Some scalebacks were made due to your server configuration.', 'Enano has detected that some of the features or configuration settings on your server are not optimal for the best behavior and/or performance for Enano. As a result, certain features or enhancements that are part of Enano have been disabled to prevent further errors. You have seen those "fatal error" notices that spew from PHP, haven\'t you?
Fatal error: call to undefined function wannahokaloogie() in file '.__FILE__.' on line '.__LINE__.'', true); + echo ''; + } else { + echo '';
+ run_test('return true;', 'Your server meets all the requirements for running Enano.
';
+ }
+ ?>
+
+
+ Fatal error: call to undefined function wannahokaloogie() in file '.__FILE__.' on line '.__LINE__.'', true); + echo ''; + } else { + echo '
Now we need some information that will allow Enano to contact your database server. Enano uses MySQL as a data storage backend, + and we need to have access to a MySQL server in order to continue.
+If you do not have access to a MySQL server, and you are using your own server, you can download MySQL for free from + MySQL.com. Please note that, like Enano, MySQL is licensed under the GNU GPL. + If you need to modify MySQL and then distribute your modifications, you must either distribute them under the terms of the GPL + or purchase a proprietary license.
+ MySQL login information for this virtual appliance:Database hostname: localhost
Database login: username "enano", password: "clurichaun" (without quotes)
Database name: enano_www1'; + } + ?> + + restart the installation.'; + $template->footer(); + exit; + } + unset($_POST['_cont']); + ?> + + + restart the installation.'; + $template->footer(); + exit; + } + unset($_POST['_cont']); + require('config.php'); + $aes = new AESCrypt(AES_BITS, AES_BLOCKSIZE); + if ( isset($crypto_key) ) + { + $cryptkey = $crypto_key; + } + if(!isset($cryptkey) || ( isset($cryptkey) && strlen($cryptkey) != AES_BITS / 4) ) + { + $cryptkey = $aes->gen_readymade_key(); + $handle = @fopen(ENANO_ROOT.'/config.php', 'w'); + if(!$handle) + { + echo '
ERROR: Cannot open config.php for writing - exiting!
'; + $template->footer(); + exit; + } + fwrite($handle, ''); + fclose($handle); + } + ?> + + + + restart the installation.'; + $template->footer(); + exit; + } + unset($_POST['_cont']); + ?> + + restart the installation.'; + $template->footer(); + exit; + } + switch($_POST['urlscheme']) + { + case "ugly": + default: + $cp = scriptPath.'/index.php?title='; + break; + case "short": + $cp = scriptPath.'/index.php/'; + break; + case "tiny": + $cp = scriptPath.'/'; + break; + } + function err($t) { global $template; echo $t; $template->footer(); exit; } + + echo 'Connecting to MySQL...'; + if($_POST['db_root_user'] != '') + { + $conn = mysql_connect($_POST['db_host'], $_POST['db_root_user'], $_POST['db_root_pass']); + if(!$conn) err('Error connecting to MySQL: '.mysql_error()); + $q = mysql_query('USE '.$_POST['db_name']); + if(!$q) + { + $q = mysql_query('CREATE DATABASE '.$_POST['db_name']); + if(!$q) err('Error initializing database: '.mysql_error()); + } + $q = mysql_query('GRANT ALL PRIVILEGES ON '.$_POST['db_name'].'.* TO \''.$_POST['db_user'].'\'@\'localhost\' IDENTIFIED BY \''.$_POST['db_pass'].'\' WITH GRANT OPTION;'); + if(!$q) err('Could not create the user account'); + $q = mysql_query('GRANT ALL PRIVILEGES ON '.$_POST['db_name'].'.* TO \''.$_POST['db_user'].'\'@\'%\' IDENTIFIED BY \''.$_POST['db_pass'].'\' WITH GRANT OPTION;'); + if(!$q) err('Could not create the user account'); + mysql_close($conn); + } + $conn = mysql_connect($_POST['db_host'], $_POST['db_user'], $_POST['db_pass']); + if(!$conn) err('Error connecting to MySQL: '.mysql_error()); + $q = mysql_query('USE '.$_POST['db_name']); + if(!$q) err('Error selecting database: '.mysql_error()); + echo 'done!'; + + // Are we supposed to drop any existing tables? If so, do it now + if(isset($_POST['drop_tables'])) + { + echo 'Dropping existing Enano tables...'; + // Our list of tables included in Enano + $tables = Array( 'mdg_categories', 'mdg_comments', 'mdg_config', 'mdg_logs', 'mdg_page_text', 'mdg_session_keys', 'mdg_pages', 'mdg_users', 'mdg_users_extra', 'mdg_themes', 'mdg_buddies', 'mdg_banlist', 'mdg_files', 'mdg_privmsgs', 'mdg_sidebar', 'mdg_hits', 'mdg_search_index', 'mdg_groups', 'mdg_group_members', 'mdg_acl', 'mdg_search_cache', 'mdg_tags', 'mdg_page_groups', 'mdg_page_group_members' ); + $tables = implode(', ', $tables); + $tables = str_replace('mdg_', $_POST['table_prefix'], $tables); + $query_of_death = 'DROP TABLE '.$tables.';'; + mysql_query($query_of_death); // We won't check for errors here because if this operation fails it probably means the tables didn't exist + echo 'done!
'; + } + + $cacheonoff = is_writable(ENANO_ROOT.'/cache/') ? '1' : '0'; + + echo 'Decrypting administration password...'; + + $aes = new AESCrypt(AES_BITS, AES_BLOCKSIZE); + + if ( !empty($_POST['crypt_data']) ) + { + require('config.php'); + if ( !isset($cryptkey) ) + { + echo 'failed!
Cannot get the key from config.php'; + break; + } + $key = hexdecode($cryptkey); + + $dec = $aes->decrypt($_POST['crypt_data'], $key, ENC_HEX); + + } + else + { + $dec = $_POST['admin_pass']; + } + echo 'done!
Generating '.AES_BITS.'-bit AES private key...'; + $privkey = $aes->gen_readymade_key(); + $pkba = hexdecode($privkey); + $encpass = $aes->encrypt($dec, $pkba, ENC_HEX); + + echo 'done!
Preparing for schema execution...'; + $schema = file_get_contents('schema.sql'); + $schema = str_replace('{{SITE_NAME}}', mysql_real_escape_string($_POST['sitename'] ), $schema); + $schema = str_replace('{{SITE_DESC}}', mysql_real_escape_string($_POST['sitedesc'] ), $schema); + $schema = str_replace('{{COPYRIGHT}}', mysql_real_escape_string($_POST['copyright'] ), $schema); + $schema = str_replace('{{ADMIN_USER}}', mysql_real_escape_string($_POST['admin_user'] ), $schema); + $schema = str_replace('{{ADMIN_PASS}}', mysql_real_escape_string($encpass ), $schema); + $schema = str_replace('{{ADMIN_EMAIL}}', mysql_real_escape_string($_POST['admin_email']), $schema); + $schema = str_replace('{{ENABLE_CACHE}}', mysql_real_escape_string($cacheonoff ), $schema); + $schema = str_replace('{{REAL_NAME}}', '', $schema); + $schema = str_replace('{{TABLE_PREFIX}}', $_POST['table_prefix'], $schema); + $schema = str_replace('{{VERSION}}', ENANO_VERSION, $schema); + $schema = str_replace('{{ADMIN_EMBED_PHP}}', $_POST['admin_embed_php'], $schema); + // Not anymore!! :-D + // $schema = str_replace('{{BETA_VERSION}}', ENANO_BETA_VERSION, $schema); + + if(isset($_POST['wiki_mode'])) + { + $schema = str_replace('{{WIKI_MODE}}', '1', $schema); + } + else + { + $schema = str_replace('{{WIKI_MODE}}', '0', $schema); + } + + // Build an array of queries + $schema = explode("\n", $schema); + + foreach ( $schema as $i => $sql ) + { + $query =& $schema[$i]; + $t = trim($query); + if ( empty($t) || preg_match('/^(\#|--)/i', $t) ) + { + unset($schema[$i]); + unset($query); + } + } + + $schema = array_values($schema); + $schema = implode("\n", $schema); + $schema = explode(";\n", $schema); + + foreach ( $schema as $i => $sql ) + { + $query =& $schema[$i]; + if ( substr($query, ( strlen($query) - 1 ), 1 ) != ';' ) + { + $query .= ';'; + } + } + + // echo '
' . htmlspecialchars(print_r($schema, true)) . ''; + // break; + + echo 'done!
Executing schema.sql...'; + + // OK, do the loop, baby!!! + foreach($schema as $q) + { + $r = mysql_query($q, $conn); + if(!$r) err('Error during mainstream installation: '.mysql_error()); + } + + echo 'done!
Writing configuration files...'; + if($_POST['urlscheme']=='tiny') + { + $ht = fopen(ENANO_ROOT.'/.htaccess', 'a+'); + if(!$ht) err('Error opening file .htaccess for writing'); + fwrite($ht, ' +RewriteEngine on +RewriteCond %{REQUEST_FILENAME} !-d +RewriteCond %{REQUEST_FILENAME} !-f +RewriteRule ^(.+) '.scriptPath.'/index.php?title=$1 [L,QSA] +RewriteRule \.(php|html|gif|jpg|png|css|js)$ - [L] +'); + fclose($ht); + } + + $config_file = ''; + + $cf_handle = fopen(ENANO_ROOT.'/config.php', 'w'); + if(!$cf_handle) err('Couldn\'t open file config.php for writing'); + fwrite($cf_handle, $config_file); + fclose($cf_handle); + + echo 'done!
Starting the Enano API...'; + + $template_bak = $template; + + // Get Enano loaded + $_GET['title'] = 'Main_Page'; + require('includes/common.php'); + + // We need to be logged in (with admin rights) before logs can be flushed + $session->login_without_crypto($_POST['admin_user'], $dec, false); + + // Now that login cookies are set, initialize the session manager and ACLs + $session->start(); + $paths->init(); + + unset($template); + $template =& $template_bak; + + echo 'done!
Initializing logs...'; + + $q = $db->sql_query('INSERT INTO ' . $_POST['table_prefix'] . 'logs(log_type,action,time_id,date_string,author,page_text,edit_summary) VALUES(\'security\', \'install_enano\', ' . time() . ', \'' . date('d M Y h:i a') . '\', \'' . mysql_real_escape_string($_POST['admin_user']) . '\', \'' . mysql_real_escape_string(ENANO_VERSION) . '\', \'' . mysql_real_escape_string($_SERVER['REMOTE_ADDR']) . '\');', $conn); + if ( !$q ) + err('Error setting up logs: '.$db->get_error()); + + if ( !$session->get_permissions('clear_logs') ) + { + echo '
Error: session manager won\'t permit flushing logs, these is a bug.'; + break; + } + + // unset($session); + // $session = new sessionManager(); + // $session->start(); + + PageUtils::flushlogs('Main_Page', 'Article'); + + echo 'done!
Installation of Enano is complete.
Review any warnings above, and then click here to finish the installation.'; + + // echo ''; + + break; + case "finish": + echo '
Congratulations!
+You have finished installing Enano on this server.
+Now what?
+Click the link below to see the main page for your website. Where to go from here:
+-
+
- The first thing you should do is log into your site using the Log in link on the sidebar. +
- Go into the Administration panel, expand General, and click General Configuration. There you will be able to configure some basic information about your site. +
- Visit the Enano Plugin Gallery to download and use plugins on your site. +
- Periodically create a backup of your database and filesystem, in case something goes wrong. This should be done at least once a week – more for wiki-based sites. +
- Hire some moderators, to help you keep rowdy users tame. +
- Tell the Enano team what you think. +
- Spread the word about Enano by adding a link to the Enano homepage on your sidebar! You can enable this option in the General Configuration section of the administration panel. +
Your changes to the site configuration have been saved.
'; } @@ -351,6 +361,43 @@ + + +
+ How many times can a user enter wrong credentials before a lockout goes into effect? +
+ This is how long an account lockout should last, in minutes. +
+ What should be done when a lockout goes into effect? +
+
+ +
Please wait while the administration panel loads. You need to be using a recent browser with AJAX support in order to use Runt.
';
+ echo '';
}
?>
@@ -2979,7 +3026,7 @@
echo '$_GET[\'side\'] contained an SQL injection attempt
';
break;
}
- $query = $db->sql_query('UPDATE '.table_prefix.'sidebar SET sidebar_id=' . $db->escape($_GET['side']) . ' WHERE item_id=' . intval($_GET['id']) . ';');
+ $query = $db->sql_query('UPDATE '.table_prefix.'sidebar SET sidebar_id=' . $db->escape($_GET['side']) . ' WHERE item_id=' . $db->escape($_GET['id']) . ';');
if(!$query)
{
echo $db->get_error();
@@ -2989,7 +3036,7 @@
echo 'Item moved.
';
break;
case 'delete':
- $query = $db->sql_query('DELETE FROM '.table_prefix.'sidebar WHERE item_id=' . intval($_GET['id']) . ';'); // Already checked for injection attempts ;-)
+ $query = $db->sql_query('DELETE FROM '.table_prefix.'sidebar WHERE item_id=' . $db->escape($_GET['id']) . ';'); // Already checked for injection attempts ;-)
if(!$query)
{
echo $db->get_error();
@@ -3004,7 +3051,7 @@
echo 'Item deleted.
';
break;
case 'disenable';
- $q = $db->sql_query('SELECT item_enabled FROM '.table_prefix.'sidebar WHERE item_id=' . intval($_GET['id']) . ';');
+ $q = $db->sql_query('SELECT item_enabled FROM '.table_prefix.'sidebar WHERE item_id=' . $db->escape($_GET['id']) . ';');
if(!$q)
{
echo $db->get_error();
@@ -3014,22 +3061,7 @@
$r = $db->fetchrow();
$db->free_result();
$e = ( $r['item_enabled'] == 1 ) ? '0' : '1';
- $q = $db->sql_query('UPDATE '.table_prefix.'sidebar SET item_enabled='.$e.' WHERE item_id=' . intval($_GET['id']) . ';');
- if(!$q)
- {
- echo $db->get_error();
- $template->footer();
- exit;
- }
- if(isset($_GET['ajax']))
- {
- ob_end_clean();
- die('GOOD');
- }
- break;
- case 'rename';
- $newname = $db->escape($_POST['newname']);
- $q = $db->sql_query('UPDATE '.table_prefix.'sidebar SET block_name=\''.$newname.'\' WHERE item_id=' . intval($_GET['id']) . ';');
+ $q = $db->sql_query('UPDATE '.table_prefix.'sidebar SET item_enabled='.$e.' WHERE item_id=' . $db->escape($_GET['id']) . ';');
if(!$q)
{
echo $db->get_error();
@@ -3043,7 +3075,7 @@
}
break;
case 'getsource':
- $q = $db->sql_query('SELECT block_content,block_type FROM '.table_prefix.'sidebar WHERE item_id=' . intval($_GET['id']) . ';');
+ $q = $db->sql_query('SELECT block_content,block_type FROM '.table_prefix.'sidebar WHERE item_id=' . $db->escape($_GET['id']) . ';');
if(!$q)
{
echo $db->get_error();
@@ -3059,7 +3091,7 @@
case 'save':
if ( defined('ENANO_DEMO_MODE') )
{
- $q = $db->sql_query('SELECT block_type FROM '.table_prefix.'sidebar WHERE item_id=' . intval($_GET['id']) . ';');
+ $q = $db->sql_query('SELECT block_type FROM '.table_prefix.'sidebar WHERE item_id=' . $db->escape($_GET['id']) . ';');
if(!$q)
{
echo 'var status=unescape(\''.hexencode($db->get_error()).'\');';
@@ -3075,13 +3107,13 @@
$_POST['content'] = sanitize_html($_POST['content'], true);
}
}
- $q = $db->sql_query('UPDATE '.table_prefix.'sidebar SET block_content=\''.$db->escape(rawurldecode($_POST['content'])).'\' WHERE item_id=' . intval($_GET['id']) . ';');
+ $q = $db->sql_query('UPDATE '.table_prefix.'sidebar SET block_content=\''.$db->escape(rawurldecode($_POST['content'])).'\' WHERE item_id=' . $db->escape($_GET['id']) . ';');
if(!$q)
{
echo 'var status=unescape(\''.hexencode($db->get_error()).'\');';
exit;
}
- $q = $db->sql_query('SELECT block_type,block_content FROM '.table_prefix.'sidebar WHERE item_id=' . intval($_GET['id']) . ';');
+ $q = $db->sql_query('SELECT block_type,block_content FROM '.table_prefix.'sidebar WHERE item_id=' . $db->escape($_GET['id']) . ';');
if(!$q)
{
echo 'var status=unescape(\''.hexencode($db->get_error()).'\');';
@@ -3173,8 +3205,6 @@
$parser = $template->makeParserText($vars['sidebar_section']);
$c = $template->tplWikiFormat($row['block_content'], false, 'sidebar-editor.tpl');
$c = preg_replace('#(.*?)#is', '\\2', $c);
- // fix for the "Administration" link that somehow didn't get rendered properly
- $c = preg_replace("/(^|\n)([ ]*)'.$__login_status.'
'; + $errstring = $__login_status['error']; + switch($__login_status['error']) + { + case 'key_not_found': + $errstring = 'Enano couldn\'t look up the encryption key used to encrypt your password. This most often happens if a cache rotation occurred during your login attempt, or if you refreshed the login page.'; + break; + case 'key_wrong_length': + $errstring = 'The encryption key was the wrong length.'; + break; + case 'too_big_for_britches': + $errstring = 'You are trying to authenticate at a level that your user account does not permit.'; + break; + case 'invalid_credentials': + $errstring = 'You have entered an invalid username or password. Please enter your login details again.'; + if ( $__login_status['lockout_policy'] == 'lockout' ) + { + $errstring .= ' You have used up '.$__login_status['lockout_fails'].' out of '.$__login_status['lockout_threshold'].' login attempts. After you have used up all '.$data['lockout_threshold'].' login attempts, you will be locked out from logging in for '.$__login_status['lockout_duration'].' minutes.'; + } + else if ( $__login_status['lockout_policy'] == 'captcha' ) + { + $errstring .= ' You have used up '.$__login_status['lockout_fails'].' out of '.$__login_status['lockout_threshold'].' login attempts. After you have used up all '.$data['lockout_threshold'].' login attempts, you will have to enter a visual confirmation code before logging in, effective for '.$__login_status['lockout_duration'].' minutes.'; + } + break; + case 'backend_fail': + $errstring = 'You entered the right credentials and everything was validated, but for some reason Enano couldn\'t register your session. This is an internal problem with the site and you are encouraged to contact site administration.'; + break; + case 'locked_out': + $attempts = intval($__login_status['lockout_fails']); + if ( $attempts > $__login_status['lockout_threshold']) + $attempts = $__login_status['lockout_threshold']; + + $server_time = time(); + $time_rem = $__login_status['lockout_duration'] - round( ( $server_time - $__login_status['lockout_last_time'] ) / 60 ); + + $s = ( $time_rem == 1 ) ? '' : 's'; + $errstring = "You have used up all {$__login_status['lockout_threshold']} allowed login attempts. Please wait {$time_rem} minute$s before attempting to log in again"; + if ( $__login_status['lockout_policy'] == 'captcha' ) + $errstring .= ', or enter the visual confirmation code shown above in the appropriate box'; + $errstring .= '.'; + break; + } + echo ''.$errstring.'
';
}
if ( $p = $paths->getAllParams() )
{
@@ -189,7 +276,7 @@
?> />
- Maybe you need to create an account.
The affecting tag was updated.
';
}
}
- else if ( $_POST['pg_type'] == PAGE_GRP_REGEX )
- {
- $target = $_POST['pg_target'];
- if ( empty($target) )
- {
- echo 'Please enter an expression to match against..
';
- }
- else
- {
- $target = $db->escape($target);
- $q = $db->sql_query('UPDATE '.table_prefix.'page_groups SET pg_target=\'' . $target . '\' WHERE pg_id=' . $edit_id . ';');
- if ( !$q )
- $db->_die();
- else
- echo 'The expression to match against was updated.
';
- }
- }
else if ( $_POST['pg_type'] == PAGE_GRP_CATLINK )
{
$target = $_POST['pg_target'];
@@ -877,22 +860,6 @@
- Be sure to include the starting and ending delimiters and any flags you might need.
- These pages might help: Pattern modifiers • - Pattern syntax
- Examples: /^(Special|Admin):/i • /^Image:([0-9]+)$/
- Developers, remember that this will be matched against the full page identifier string. This means that /^About_Enano$/ - will NOT match the page Special:About_Enano. -
Login failed. Bad password?
Login failed: '. $result['error'] . '