Commit a35d25c0 authored by drsassafras's avatar drsassafras

remove outdated challenge responce feature (second attempt)

parent 683560d0
......@@ -1763,6 +1763,7 @@ installer/schema/20160519_calendar_events_action_log_tiki.sql -text
installer/schema/20160527_menu_item_payment_tiki.sql -text
installer/schema/20160604_remove_unwanted_files_tiki.php -text
installer/schema/20160608_menu_item_admin_tokens_tiki.sql -text
installer/schema/20160612_remove_feature_challenge_pref.sql -text
installer/schema/999999991_decode_pages_sources_tiki.php -text
installer/schema/99999999_image_plugins_kill_tiki.php -text
installer/schema/index.php -text
......@@ -3776,7 +3777,6 @@ lib/serializedlist.php -text
lib/servicelib.php -text
lib/setup/absolute_urls.php -text
lib/setup/categories.php -text
lib/setup/challenge.php -text
lib/setup/comments_zone.php -text
lib/setup/cookies.php -text
lib/setup/credits.php -text
......
DELETE FROM tiki_preferences WHERE name='feature_challenge';
......@@ -2374,14 +2374,6 @@ function prefs_feature_list($partial = false)
'help' => 'Advanced+Wiki+Syntax+usage+examples',
'default' => 'n',
),
'feature_challenge' => array(
'name' => tra('Use challenge/response authentication'),
'description' => tra(''),
'type' => 'flag',
'hint' => tra('Confirm that the Admin account has a valid email address or you will not be able to log in'),
'default' => 'n',
'warning' => tr('Deprecated: This feature is unmaintained and may not be reliable'),
),
'feature_show_stay_in_ssl_mode' => array(
'name' => tra('Users can choose to stay in SSL mode after an HTTPS login'),
'description' => tra(''),
......
<?php
// (c) Copyright 2002-2016 by authors of the Tiki Wiki CMS Groupware Project
//
// All Rights Reserved. See copyright.txt for details and a complete list of authors.
// Licensed under the GNU LESSER GENERAL PUBLIC LICENSE. See license.txt for details.
// $Id$
//this script may only be included - so its better to die if called directly.
$access->check_script($_SERVER['SCRIPT_NAME'], basename(__FILE__));
// If we are processing a login then do not generate the challenge
// if we are in any other case then yes.
if ( ! isset($_REQUEST['login']) ) {
$chall = $userlib->generate_challenge();
$_SESSION['challenge'] = $chall;
$smarty->assign('challenge', $chall);
}
......@@ -593,7 +593,7 @@ class TikiAccessLib extends TikiLib
$attempt = $_SERVER['PHP_AUTH_USER'] ;
$pass = $_SERVER['PHP_AUTH_PW'] ;
list($res, $rest) = $userlib->validate_user_tiki($attempt, $pass, false, false);
list($res, $rest) = $userlib->validate_user_tiki($attempt, $pass);
if ($res == USER_VALID) {
global $_permissionContext;
......
......@@ -328,21 +328,6 @@ class UsersLib extends TikiLib
return $r;
}
function generate_challenge()
{
$val = md5($this->genPass());
return $val;
}
function validate_hash($user, $hash)
{
return $this->getOne(
'select count(*) from `users_users` where binary `login` = ? and `hash`=?',
array($user, $hash)
);
}
/**
* Force a logout for the specified user
* @param $user
......@@ -362,7 +347,7 @@ class UsersLib extends TikiLib
// For each auth method, validate user in auth, if valid, verify tiki user exists and create if necessary (as configured)
// Once complete, update_lastlogin and return result, username and login message.
function validate_user($user, $pass, $challenge = '', $response = '', $validate_phase=false)
function validate_user($user, $pass, $validate_phase=false)
{
global $prefs;
......@@ -410,7 +395,7 @@ class UsersLib extends TikiLib
// first attempt a login via the standard Tiki system
//
if (!($auth_shib || $auth_cas) || $user == 'admin') { //redflo: does this mean, that users in cas and shib are not replicated to tiki tables? Does this work well?
list($result, $user) = $this->validate_user_tiki($user, $pass, $challenge, $response, $validate_phase);
list($result, $user) = $this->validate_user_tiki($user, $pass, $validate_phase);
} else {
$result = NULL;
}
......@@ -1545,7 +1530,7 @@ class UsersLib extends TikiLib
* @param user: username
* @param pass: password
*/
function validate_user_tiki($user, $pass, $challenge, $response, $validate_phase = false)
function validate_user_tiki($user, $pass, $validate_phase = false)
{
global $prefs;
......@@ -1584,7 +1569,6 @@ class UsersLib extends TikiLib
$user = $res['login'];
// next verify the password with every hashes methods
if ($prefs['feature_challenge'] == 'n' || empty($response)) {
if (!empty($res['valid']) && $pass == $res['valid']) // used for validation of user account before activation
return array(USER_VALID, $user);
......@@ -1609,26 +1593,7 @@ class UsersLib extends TikiLib
return array(USER_PREVIOUSLY_VALIDATED, $user);
}
return array(PASSWORD_INCORRECT, $user);
} else {
// Use challenge-reponse method
// Compare pass against md5(user,challenge,hash)
$hash = $this->getOne('select `hash` from `users_users` where binary `login`=?', array($user));
if (!isset($_SESSION["challenge"]))
return array(false, $user);
//print("pass: $pass user: $user hash: $hash <br />");
//print("challenge: ".$_SESSION["challenge"]." challenge: $challenge<br />");
//print("response : $response<br />");
if ($response == md5($user . $hash . $_SESSION["challenge"])) {
$this->update_lastlogin($user);
return array(USER_VALID, $user);
} else {
return array(false, $user);
}
}
return array(PASSWORD_INCORRECT, $user);
}
/**
......
......@@ -97,7 +97,7 @@ function validate($params)
return new XML_RPC_Response(0, 101, $msg);
}
list($isvalid, $dummy, $error) = $userlib->validate_user($login, $pass, '', '');
list($isvalid, $dummy, $error) = $userlib->validate_user($login, $pass);
if (!$isvalid) {
$msg = tra('Invalid username or password');
......
......@@ -119,7 +119,6 @@
{preference name=unsuccessful_logins_invalid}
{preference name=eponymousGroups}
{preference name=desactive_login_autocomplete}
{preference name=feature_challenge}
{preference name=login_multiple_forbidden}
{preference name=login_grab_session}
{preference name=session_protected}
......
......@@ -140,29 +140,12 @@ if (jqueryTiki.no_cookie) {
{/if}
<form name="loginbox" class="form{if $mode eq "header"} form-inline{/if}" id="loginbox-{$module_logo_instance}" action="{$login_module.login_url|escape}"
method="post" {if $prefs.feature_challenge eq 'y'}onsubmit="doChallengeResponse(this)"{/if}
method="post"
{if $prefs.desactive_login_autocomplete eq 'y'} autocomplete="off"{/if}
>
{capture assign="close_tags"}</form>{$close_tags}{/capture}
{if $prefs.feature_challenge eq 'y'}
<script type='text/javascript' src="vendor/jquery/md5/js/md5.js"></script>
{jq notonready=true}
function doChallengeResponse(form) {
var $form = $(form), hashstr, str;
hashstr= $("input[name=user]", $form).val() +
$("input[name=pass]", $form).val() +
$("input[name=email]", $form).val();
str = $("input[name=user]", $form).val() + md5(hashstr) + $("input[name=challenge]", $form).val();
$("input[name=response]", $form).val(md5(str));
//$("input[name=pass]", $form).val(""); // (form does not submit without password)
$form.submit();
return false;
}
{/jq}
<input type="hidden" name="challenge" value="{$challenge|escape}" />
<input type="hidden" name="response" value="" />
{/if}
{if !empty($urllogin)}<input type="hidden" name="url" value="{$urllogin|escape}" />{/if}
{if $module_params.nobox neq 'y'}
<fieldset>
......@@ -201,14 +184,6 @@ if (jqueryTiki.no_cookie) {
<input class="form-control" type="hidden" name="user" id="login-user_{$module_logo_instance}" value="{$loginuser|escape}" /><b>{$loginuser|escape}</b>
{/if}
</div>
{if $prefs.feature_challenge eq 'y'} <!-- quick hack to make challenge/response work until 1.8 tiki auth overhaul -->
<div class="email form-group clearfix">
<label for="login-email_{$module_logo_instance}">{tr}eMail:{/tr}</label>
<div>
<input class="form-control" type="text" name="email" id="login-email_{$module_logo_instance}">
</div>
</div>
{/if}
<div class="pass form-group clearfix">
<label for="login-pass_{$module_logo_instance}">{tr}Password:{/tr}</label>
<div>
......
......@@ -74,7 +74,7 @@ if (isset($_REQUEST["change"])) {
}
}
// Check that provided user name could log in with old password, otherwise display error and exit
list($isvalid, $_REQUEST["user"], $error) = $userlib->validate_user($_REQUEST["user"], $_REQUEST["oldpass"], '', '');
list($isvalid, $_REQUEST["user"], $error) = $userlib->validate_user($_REQUEST["user"], $_REQUEST["oldpass"]);
if (!$isvalid) {
$smarty->assign('msg', tra("Invalid old password"));
$smarty->assign('errortype', 'no_redirect_login');
......
......@@ -96,8 +96,6 @@ if (isset($_REQUEST['su'])) {
}
$requestedUser = isset($_REQUEST['user']) ? $_REQUEST['user'] : false;
$pass = isset($_REQUEST['pass']) ? $_REQUEST['pass'] : false;
$challenge = isset($_REQUEST['challenge']) ? $_REQUEST['challenge'] : false;
$response = isset($_REQUEST['response']) ? $_REQUEST['response'] : false;
$isvalid = false;
$isdue = false;
// admin is always local
......@@ -198,7 +196,7 @@ if (isset($_REQUEST['intertiki']) and in_array($_REQUEST['intertiki'], array_key
}
} else {
// Verify user is valid
$ret = $userlib->validate_user($requestedUser, $pass, $challenge, $response);
$ret = $userlib->validate_user($requestedUser, $pass);
if (count($ret) == 3) {
$ret[] = null;
}
......
......@@ -27,13 +27,13 @@ if (isset($_REQUEST["user"])) {
die;
} elseif (!empty($_SESSION['last_validation'])) {
if ($_SESSION['last_validation']['actpass'] == $_REQUEST["pass"] && $_SESSION['last_validation']['user'] == $_REQUEST["user"]) {
list($isvalid, $_REQUEST["user"], $error) = $userlib->validate_user($_REQUEST["user"], $_SESSION['last_validation']['actpass'], '', '', true);
list($isvalid, $_REQUEST["user"], $error) = $userlib->validate_user($_REQUEST["user"], $_SESSION['last_validation']['actpass'], true);
} else {
$_SESSION['last_validation'] = null;
}
}
if (!$isvalid) {
list($isvalid, $_REQUEST["user"], $error) = $userlib->validate_user($_REQUEST["user"], $_REQUEST["pass"], '', '', true);
list($isvalid, $_REQUEST["user"], $error) = $userlib->validate_user($_REQUEST["user"], $_REQUEST["pass"], true);
$_SESSION['last_validation'] = $isvalid ? array('user' => $_REQUEST["user"], 'actpass' => $_REQUEST["pass"]) : null;
}
} else {
......
......@@ -192,9 +192,6 @@ if (!empty($varcheck_errors)) {
$smarty->display('error_raw.tpl');
die;
}
if ($prefs['feature_challenge'] == 'y') {
require_once ('lib/setup/challenge.php');
}
if ($prefs['feature_usermenu'] == 'y') {
require_once ('lib/setup/usermenu.php');
}
......
......@@ -476,7 +476,7 @@ if (($prefs['auth_method'] == 'ws') and (isset($_SERVER['REMOTE_USER']))) {
// Check for Shibboleth Login
if ($prefs['auth_method'] == 'shib' and isset($_SERVER['REMOTE_USER'])) {
// Validate the user (if not created create it)
if ($userlib->validate_user($_SERVER['REMOTE_USER'], "", "", "")) {
if ($userlib->validate_user($_SERVER['REMOTE_USER'], "")) {
$_SESSION["$user_cookie_site"] = $_SERVER['REMOTE_USER'];
}
}
......
......@@ -272,7 +272,7 @@ if (isset($_REQUEST['chgadmin'])) {
if ($prefs['feature_intertiki'] == 'y' && !empty($prefs['feature_intertiki_mymaster'])) {
if ($ok = $userlib->intervalidate($prefs['interlist'][$prefs['feature_intertiki_mymaster']], $userwatch, $pass)) if ($ok->faultCode()) $ok = false;
} else {
list($ok, $userwatch, $error) = $userlib->validate_user($userwatch, $pass, '', '');
list($ok, $userwatch, $error) = $userlib->validate_user($userwatch, $pass);
}
if (!$ok) {
$smarty->assign('msg', tra("Invalid password. Your current password is required to change administrative information"));
......
......@@ -71,7 +71,7 @@ function getUserInfo($params)
$username = $usernamep->scalarval();
$passwordp = $params->getParam(2);
$password = $passwordp->scalarval();
list($ok, $username, $e) = $userlib->validate_user($username, $password, '', '');
list($ok, $username, $e) = $userlib->validate_user($username, $password);
if ($ok) {
$myStruct = new XML_RPC_Value(
......@@ -117,7 +117,7 @@ function newPost($params)
$publish = $passp->scalarval();
// Now check if the user is valid and if the user can post a submission
list($ok, $username, $e) = $userlib->validate_user($username, $password, '', '');
list($ok, $username, $e) = $userlib->validate_user($username, $password);
if (!$ok) {
return new XML_RPC_Response(0, 101, 'Invalid username or password');
}
......@@ -174,7 +174,7 @@ function editPost($params)
$publish = $passp->scalarval();
// Now check if the user is valid and if the user can post a submission
list($ok, $username, $e) = $userlib->validate_user($username, $password, '', '');
list($ok, $username, $e) = $userlib->validate_user($username, $password);
if (!$ok) {
return new XML_RPC_Response(0, 101, 'Invalid username or password');
}
......@@ -231,7 +231,7 @@ function deletePost($params)
$publish = $passp->scalarval();
// Now check if the user is valid and if the user can post a submission
list($ok, $username, $e) = $userlib->validate_user($username, $password, '', '');
list($ok, $username, $e) = $userlib->validate_user($username, $password);
if (!$ok) {
return new XML_RPC_Response(0, 101, 'Invalid username or password');
}
......@@ -278,7 +278,7 @@ function getPost($params)
$password = $passwordp->scalarval();
// Now check if the user is valid and if the user can post a submission
list($ok, $username, $e) = $userlib->validate_user($username, $password, '', '');
list($ok, $username, $e) = $userlib->validate_user($username, $password);
if (!$ok) {
return new XML_RPC_Response(0, 101, 'Invalid username or password');
}
......@@ -341,7 +341,7 @@ function getRecentPosts($params)
$number = $passp->scalarval();
// Now check if the user is valid and if the user can post a submission
list($ok, $username, $e) = $userlib->validate_user($username, $password, '', '');
list($ok, $username, $e) = $userlib->validate_user($username, $password);
if (!$ok) {
return new XML_RPC_Response(0, 101, 'Invalid username or password');
}
......
......@@ -67,7 +67,7 @@ function getUserInfo($params)
$passwordp = $params->getParam(2);
$password = $passwordp->scalarval();
list($ok, $username, $e) = $userlib->validate_user($username, $password, '', '');
list($ok, $username, $e) = $userlib->validate_user($username, $password);
if ($ok) {
$myStruct = new XML_RPC_Value(
......@@ -122,7 +122,7 @@ function newPost($params)
$content = preg_replace('#<title>(.*)</title>#', '', $content);
// Now check if the user is valid and if the user can post a submission
list($ok, $username, $e) = $userlib->validate_user($username, $password, '', '');
list($ok, $username, $e) = $userlib->validate_user($username, $password);
if (!$ok) {
return new XML_RPC_Response(0, 101, 'Invalid username or password');
......@@ -190,7 +190,7 @@ function editPost($params)
$content = preg_replace('#<title>(.*)</title>#', '', $content);
// Now check if the user is valid and if the user can post a submission
list($ok, $username, $e) = $userlib->validate_user($username, $password, '', '');
list($ok, $username, $e) = $userlib->validate_user($username, $password);
if (!$ok) {
return new XML_RPC_Response(0, 101, 'Invalid username or password');
......@@ -247,7 +247,7 @@ function deletePost($params)
$publish = $passp->scalarval();
// Now check if the user is valid and if the user can post a submission
list($ok, $username, $e) = $userlib->validate_user($username, $password, '', '');
list($ok, $username, $e) = $userlib->validate_user($username, $password);
if (!$ok) {
return new XML_RPC_Response(0, 101, 'Invalid username or password');
......@@ -295,7 +295,7 @@ function getPost($params)
$password = $passwordp->scalarval();
// Now check if the user is valid and if the user can post a submission
list($ok, $username, $e) = $userlib->validate_user($username, $password, '', '');
list($ok, $username, $e) = $userlib->validate_user($username, $password);
if (!$ok) {
return new XML_RPC_Response(0, 101, 'Invalid username or password');
......@@ -365,7 +365,7 @@ function getRecentPosts($params)
$number = $passp->scalarval();
// Now check if the user is valid and if the user can post a submission
list($ok, $username, $e) = $userlib->validate_user($username, $password, '', '');
list($ok, $username, $e) = $userlib->validate_user($username, $password);
if (!$ok) {
return new XML_RPC_Response(0, 101, 'Invalid username or password');
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment