#
#
# patch "skel/monotonerc"
# from [8758e0a8be6e6affa3eb966fbbffcdb46a32b946]
# to [f6760ff68af902d1e6ecbde57097b7085fa1de91]
#
# patch "www/common.php"
# from [37e91cbd376ee1e8fbbba7c04c0aba99c16bc1ba]
# to [bbc7521adf962914983c9ac5dd801693075f9461]
#
# patch "www/login.php"
# from [059f010ebc7b0b3dece03207fc009ac0be3b4da9]
# to [7dffbbb7499011ce9ae28bff03d91ad185d2027f]
#
# patch "www/sidebar.php"
# from [d60cb6c9778ff7291dadf83f2c7d17b3698cda0f]
# to [14624d84c31ca34d0b93fbf79f62350ee7c20e9a]
#
============================================================
--- skel/monotonerc 8758e0a8be6e6affa3eb966fbbffcdb46a32b946
+++ skel/monotonerc f6760ff68af902d1e6ecbde57097b7085fa1de91
@@ -14,7 +14,7 @@
for j, val in pairs(item.values) do
hostkey = val
end
- end elseif item.name == "hostkeypass" then
+ elseif item.name == "hostkeypass" then
for j, val in pairs(item.values) do
hostkeypass = val
end
@@ -23,7 +23,7 @@
return false
end
-read_config
+read_config();
function get_passphrase(keyid)
if keyid == hostkey then
============================================================
--- www/common.php 37e91cbd376ee1e8fbbba7c04c0aba99c16bc1ba
+++ www/common.php bbc7521adf962914983c9ac5dd801693075f9461
@@ -47,20 +47,47 @@
include("JSON.php");
$json = new Services_JSON();
+function mktok($username, $shapass, $t) {
+ $secfile = dirname(__FILE__) . "/../secfile";
+ if (!is_file($secfile)) {
+ $dat = "";
+ foreach (array("/dev/random", "/dev/urandom") as $fn) {
+ $fd = fopen($fn, "rb");
+ if ($fd) {
+ $dat = $dat . fread($fd, 20);
+ fclose($fd);
+ }
+ }
+ file_put_contents($secfile, $dat);
+ chmod($secfile, 0400);
+ }
+ return sha1($username . $shapass . $t . file_get_contents($secfile));
+}
+
if ($_REQUEST['username'] && $_REQUEST['password']) {
$username = $_REQUEST['username'];
- $password = $_REQUEST['password'];
+ if ($_REQUEST['password'] != "") {
+ $shapass = sha1($_REQUEST['password']);
+ }
} else if ($_COOKIE['AUTH']) {
$auth = $json->decode(stripslashes($_COOKIE['AUTH']));
- $username = $auth->username;
- $password = $auth->password;
+ do {
+ if ($auth->token != mktok($auth->username, $auth->password,
+ $auth->expiration)) {
+ break;
+ }
+ if ($auth->expiration < time()) {
+ break;
+ }
+ $username = $auth->username;
+ $shapass = $auth->password;
+ } while (false);
} else {
$username = '';
- $password = '';
+ $shapass = '';
}
$safeuser = pg_escape_string($username);
-$safepass = pg_escape_string($password);
$validuser = false;
$db = pg_connect($dbstring);
@@ -70,7 +97,7 @@
$rows = pg_numrows($result);
if ($rows == 1) {
$row = pg_fetch_row ($result, 0);
- if ($row[0] === $password) {
+ if ($row[0] == $shapass) {
$validuser = true;
}
}
============================================================
--- www/login.php 059f010ebc7b0b3dece03207fc009ac0be3b4da9
+++ www/login.php 7dffbbb7499011ce9ae28bff03d91ad185d2027f
@@ -1,7 +1,18 @@
include("common.php");
$location = $_REQUEST['location'];
+function docookie($username, $shapass) {
+ global $json;
+ $t = time() + 60*60*24*7;
+ $auth = array(
+ 'username' => $username,
+ 'password' => $shapass,
+ 'expiration' => $t,
+ 'token' => mktok($username, $shapass, $t));
+ setcookie('AUTH', $json->encode($auth), 0, '/');
+}
+
function page_head() {
global $validuser, $username, $location;
$level = 'main';
@@ -28,7 +39,7 @@
Logged out.
} else if ($_REQUEST['newuser']) {
- if ($username == "" || $password == "") {
+ if ($username == "" || $shapass == "") {
$res = "Your username and password cannot be blank.
\n";
} else {
pg_exec($db, "BEGIN");
@@ -39,7 +50,7 @@
$res = "Internal server error.
\n";
} else if (pg_numrows($result) == 0) {
$query = "INSERT INTO users (username, password) VALUES ('%s', '%s')";
- pg_exec($db, sprintf($query, $safeuser, $safepass));
+ pg_exec($db, sprintf($query, $safeuser, $shapass));
$res = "Added user $username.
\n";
$validuser = true;
} else {
@@ -47,10 +58,7 @@
}
pg_exec($db, "END");
}
- $auth = array(
- 'username' => $username,
- 'password' => $password);
- setcookie('AUTH', $json->encode($auth), 0, '/');
+ docookie($username, $shapass);
page_head();
print $res;
} else if ($_REQUEST['newpass']) {
@@ -58,12 +66,11 @@
$res = "Username or password incorrect.";
} else {
$newpass = $_REQUEST['newpass'];
- $safenew = pg_escape_string($newpass);
if ($newpass == "") {
$res = "Your new password cannot be blank.";
} else {
$query = "UPDATE users SET password = '%s' WHERE username = '%s'";
- $result = pg_exec($db, sprintf($query, $safenew, $safeuser));
+ $result = pg_exec($db, sprintf($query, sha1($newpass), $safeuser));
if(!result) {
$res = "Internal server error.";
} else {
@@ -75,10 +82,7 @@
print $res;
} else {
if ($validuser) {
- $auth = array(
- 'username' => $username,
- 'password' => $password);
- setcookie('AUTH', $json->encode($auth), 0, '/');
+ docookie($username, $shapass);
page_head();
?>
Logged in.
============================================================
--- www/sidebar.php d60cb6c9778ff7291dadf83f2c7d17b3698cda0f
+++ www/sidebar.php 14624d84c31ca34d0b93fbf79f62350ee7c20e9a
@@ -16,7 +16,7 @@
Username:
Password:
-
+
@@ -36,13 +36,13 @@
if ($level == 'project') {?>
Project info
Maintainer section
- Browse source
$query = "SELECT name, url FROM resources WHERE project = '%s'";
$result = pg_exec($db, sprintf($query, $safeproj));
$out = array();
+ print "
Project resources:\n