# 
# 
# patch "skel/monotonerc"
#  from [8758e0a8be6e6affa3eb966fbbffcdb46a32b946]
#    to [f6760ff68af902d1e6ecbde57097b7085fa1de91]
# 
# patch "www/common.php"
#  from [37e91cbd376ee1e8fbbba7c04c0aba99c16bc1ba]
#    to [bbc7521adf962914983c9ac5dd801693075f9461]
# 
# patch "www/login.php"
#  from [059f010ebc7b0b3dece03207fc009ac0be3b4da9]
#    to [7dffbbb7499011ce9ae28bff03d91ad185d2027f]
# 
# patch "www/sidebar.php"
#  from [d60cb6c9778ff7291dadf83f2c7d17b3698cda0f]
#    to [14624d84c31ca34d0b93fbf79f62350ee7c20e9a]
# 
============================================================
--- skel/monotonerc	8758e0a8be6e6affa3eb966fbbffcdb46a32b946
+++ skel/monotonerc	f6760ff68af902d1e6ecbde57097b7085fa1de91
@@ -14,7 +14,7 @@
          for j, val in pairs(item.values) do
             hostkey = val
          end
-      end elseif item.name == "hostkeypass" then
+      elseif item.name == "hostkeypass" then
          for j, val in pairs(item.values) do
             hostkeypass = val
          end
@@ -23,7 +23,7 @@
    return false
 end
 
-read_config
+read_config();
 
 function get_passphrase(keyid)
 	if keyid == hostkey then
============================================================
--- www/common.php	37e91cbd376ee1e8fbbba7c04c0aba99c16bc1ba
+++ www/common.php	bbc7521adf962914983c9ac5dd801693075f9461
@@ -47,20 +47,47 @@
 include("JSON.php");
 $json = new Services_JSON();
 
+function mktok($username, $shapass, $t) {
+	$secfile = dirname(__FILE__) . "/../secfile";
+	if (!is_file($secfile)) {
+		$dat = "";
+		foreach (array("/dev/random", "/dev/urandom") as $fn) {
+			$fd = fopen($fn, "rb");
+			if ($fd) {
+				$dat = $dat . fread($fd, 20);
+				fclose($fd);
+			}
+		}
+		file_put_contents($secfile, $dat);
+		chmod($secfile, 0400);
+	}
+	return sha1($username . $shapass . $t . file_get_contents($secfile));
+}
+
 if ($_REQUEST['username'] && $_REQUEST['password']) {
 	$username = $_REQUEST['username'];
-	$password = $_REQUEST['password'];
+	if ($_REQUEST['password'] != "") {
+		$shapass = sha1($_REQUEST['password']);
+	}
 } else if ($_COOKIE['AUTH']) {
 	$auth = $json->decode(stripslashes($_COOKIE['AUTH']));
-	$username = $auth->username;
-	$password = $auth->password;
+	do {
+		if ($auth->token != mktok($auth->username, $auth->password,
+				$auth->expiration)) {
+			break;
+		}
+		if ($auth->expiration < time()) {
+			break;
+		}
+		$username = $auth->username;
+		$shapass = $auth->password;
+	} while (false);
 } else {
 	$username = '';
-	$password = '';
+	$shapass = '';
 }
 
 $safeuser = pg_escape_string($username);
-$safepass = pg_escape_string($password);
 
 $validuser = false;
 $db = pg_connect($dbstring);
@@ -70,7 +97,7 @@
 	$rows = pg_numrows($result);
 	if ($rows == 1) {
 		$row = pg_fetch_row ($result, 0);
-		if ($row[0] === $password) {
+		if ($row[0] == $shapass) {
 			$validuser = true;
 		}
 	}
============================================================
--- www/login.php	059f010ebc7b0b3dece03207fc009ac0be3b4da9
+++ www/login.php	7dffbbb7499011ce9ae28bff03d91ad185d2027f
@@ -1,7 +1,18 @@
 <?
 include("common.php");
 $location = $_REQUEST['location'];
 
+function docookie($username, $shapass) {
+	global $json;
+	$t = time() + 60*60*24*7;
+	$auth = array(
+		'username' => $username,
+		'password' => $shapass,
+		'expiration' => $t,
+		'token' => mktok($username, $shapass, $t));
+	setcookie('AUTH', $json->encode($auth), 0, '/');
+}
+
 function page_head() {
 	global $validuser, $username, $location;
 	$level = 'main';
@@ -28,7 +39,7 @@
 	Logged out.<br/>
 	<?
 } else if ($_REQUEST['newuser']) {
-	if ($username == "" || $password == "") {
+	if ($username == "" || $shapass == "") {
 		$res = "Your username and password cannot be blank.<br/>\n";
 	} else {
 		pg_exec($db, "BEGIN");
@@ -39,7 +50,7 @@
 			$res = "Internal server error.<br/>\n";
 		} else if (pg_numrows($result) == 0) {
 			$query = "INSERT INTO users (username, password) VALUES ('%s', '%s')";
-			pg_exec($db, sprintf($query, $safeuser, $safepass));
+			pg_exec($db, sprintf($query, $safeuser, $shapass));
 			$res = "Added user $username.<br/>\n";
 			$validuser = true;
 		} else {
@@ -47,10 +58,7 @@
 		}
 		pg_exec($db, "END");
 	}
-	$auth = array(
-		'username' => $username,
-		'password' => $password);
-	setcookie('AUTH', $json->encode($auth), 0, '/');
+	docookie($username, $shapass);
 	page_head();
 	print $res;
 } else if ($_REQUEST['newpass']) {
@@ -58,12 +66,11 @@
 		$res = "Username or password incorrect.";
 	} else {
 		$newpass = $_REQUEST['newpass'];
-		$safenew = pg_escape_string($newpass);
 		if ($newpass == "") {
 			$res = "Your new password cannot be blank.";
 		} else {
 			$query = "UPDATE users SET password = '%s' WHERE username = '%s'";
-			$result = pg_exec($db, sprintf($query, $safenew, $safeuser));
+			$result = pg_exec($db, sprintf($query, sha1($newpass), $safeuser));
 			if(!result) {
 				$res = "Internal server error.";
 			} else {
@@ -75,10 +82,7 @@
 	print $res;
 } else {
 	if ($validuser) {
-		$auth = array(
-			'username' => $username,
-			'password' => $password);
-		setcookie('AUTH', $json->encode($auth), 0, '/');
+		docookie($username, $shapass);
 		page_head();
 		?>
 		Logged in.<br/>
============================================================
--- www/sidebar.php	d60cb6c9778ff7291dadf83f2c7d17b3698cda0f
+++ www/sidebar.php	14624d84c31ca34d0b93fbf79f62350ee7c20e9a
@@ -16,7 +16,7 @@
 	Username:<br/>
 	<input type="text" name="username" id="username" value="<?=$username?>"/><br/>
 	Password:<br/>
-	<input type="password" name="password" id="password" value="<?=$password?>"/><br/>
+	<input type="password" name="password" id="password"/><br/>
 	<input type="hidden" name="location" value="<?=$location?$location:$_SERVER['PHP_SELF']?>"/>
 	<input type="submit" value="Login" name="login"/> <input type="submit" value="New user" name="newuser"/>
 	</form>
@@ -36,13 +36,13 @@
 <? if ($level == 'project') {?>
 	<a href="index.php">Project info</a><br/>
 	<a href="admin.php">Maintainer section</a><br/>
-	<a href="viewmtn/">Browse source</a><br/>
 	<?
 	$query = "SELECT name, url FROM resources WHERE project = '%s'";
 	$result = pg_exec($db, sprintf($query, $safeproj));
 	$out = array();
+	print "<br/>Project resources:\n<ul>";
+	print "<li><a href=\"viewmtn/\">Source browser</a><br/></li>";
 	if ($result) {
-		print "<br/>Project resources:\n<ul>";
 		$rows = pg_numrows($result);
 		for($i = 0; $i < $rows; ++$i) {
 			$row = pg_fetch_row ($result,$i);
@@ -51,8 +51,8 @@
 			print "<li><a href=\"" . $row[1] . "\">" .
 				$row[0] . "</a></li>\n";
 		}
-		print "</ul>\n";
 	}
+	print "</ul>\n";
 }
 ?>
 </div>