albertlast / SMF2.1

Sources/Subs-Auth.php

Braces +168 added lines, -121 removed lines

@@ -13,8 +13,9 @@ 
  * @version 2.1 Beta 4
  */
 
-if (!defined('SMF'))
+if (!defined('SMF')) {
 	die('No direct access...');
+}
 
 /**
  * Sets the SMF-style login cookie and session based on the id_member and password passed.
@@ -47,8 +48,9 @@ 
 	if (isset($_COOKIE[$cookiename]))
 	{
 		// First check for 2.1 json-format cookie
-		if (preg_match('~^{"0":\d+,"1":"[0-9a-f]*","2":\d+,"3":"[^"]+","4":"[^"]+"~', $_COOKIE[$cookiename]) === 1)
-			list(,,, $old_domain, $old_path) = $smcFunc['json_decode']($_COOKIE[$cookiename], true);
+		if (preg_match('~^{"0":\d+,"1":"[0-9a-f]*","2":\d+,"3":"[^"]+","4":"[^"]+"~', $_COOKIE[$cookiename]) === 1) {
+					list(,,, $old_domain, $old_path) = $smcFunc['json_decode']($_COOKIE[$cookiename], true);
+		}
 
 		// Legacy format (for recent 2.0 --> 2.1 upgrades)
 		elseif (preg_match('~^a:[34]:\{i:0;i:\d+;i:1;s:(0|128):"([a-fA-F0-9]{128})?";i:2;[id]:\d+;(i:3;i:\d;)?~', $_COOKIE[$cookiename]) === 1)
@@ -58,15 +60,17 @@ 
 			$cookie_state = (empty($modSettings['localCookies']) ? 0 : 1) | (empty($modSettings['globalCookies']) ? 0 : 2);
 
 			// Maybe we need to temporarily pretend to be using local cookies
-			if ($cookie_state == 0 && $old_state == 1)
-				list($old_domain, $old_path) = url_parts(true, false);
-			else
-				list($old_domain, $old_path) = url_parts($old_state & 1 > 0, $old_state & 2 > 0);
+			if ($cookie_state == 0 && $old_state == 1) {
+							list($old_domain, $old_path) = url_parts(true, false);
+			} else {
+							list($old_domain, $old_path) = url_parts($old_state & 1 > 0, $old_state & 2 > 0);
+			}
 		}
 
 		// Out with the old, in with the new!
-		if (isset($old_domain) && $old_domain != $cookie_url[0] || isset($old_path) && $old_path != $cookie_url[1])
-			smf_setcookie($cookiename, $smcFunc['json_encode'](array(0, '', 0, $old_domain, $old_path), JSON_FORCE_OBJECT), 1, $old_path, $old_domain);
+		if (isset($old_domain) && $old_domain != $cookie_url[0] || isset($old_path) && $old_path != $cookie_url[1]) {
+					smf_setcookie($cookiename, $smcFunc['json_encode'](array(0, '', 0, $old_domain, $old_path), JSON_FORCE_OBJECT), 1, $old_path, $old_domain);
+		}
 	}
 
 	// Get the data and path to set it on.
@@ -82,8 +86,9 @@ 
 	smf_setcookie($cookiename, $data, $expiry_time, $cookie_url[1], $cookie_url[0]);
 
 	// If subdomain-independent cookies are on, unset the subdomain-dependent cookie too.
-	if (empty($id) && !empty($modSettings['globalCookies']))
-		smf_setcookie($cookiename, $data, $expiry_time, $cookie_url[1], '');
+	if (empty($id) && !empty($modSettings['globalCookies'])) {
+			smf_setcookie($cookiename, $data, $expiry_time, $cookie_url[1], '');
+	}
 
 	// Any alias URLs?  This is mainly for use with frames, etc.
 	if (!empty($modSettings['forum_alias_urls']))
@@ -99,8 +104,9 @@ 
 
 			$cookie_url = url_parts(!empty($modSettings['localCookies']), !empty($modSettings['globalCookies']));
 
-			if ($cookie_url[0] == '')
-				$cookie_url[0] = strtok($alias, '/');
+			if ($cookie_url[0] == '') {
+							$cookie_url[0] = strtok($alias, '/');
+			}
 
 			$alias_data = $smcFunc['json_decode']($data, true);
 			$alias_data[3] = $cookie_url[0];
@@ -151,8 +157,9 @@ 
 	$identifier = $cookiename . '_tfa';
 	$cookie_url = url_parts(!empty($modSettings['localCookies']), !empty($modSettings['globalCookies']));
 
-	if ($preserve)
-		$cookie_length = 81600 * 30;
+	if ($preserve) {
+			$cookie_length = 81600 * 30;
+	}
 
 	// Get the data and path to set it on.
 	$data = $smcFunc['json_encode'](empty($id) ? array(0, '', 0, $cookie_url[0], $cookie_url[1], false) : array($id, $secret, time() + $cookie_length, $cookie_url[0], $cookie_url[1], $preserve), JSON_FORCE_OBJECT);
@@ -161,8 +168,9 @@ 
 	smf_setcookie($identifier, $data, time() + $cookie_length, $cookie_url[1], $cookie_url[0]);
 
 	// If subdomain-independent cookies are on, unset the subdomain-dependent cookie too.
-	if (empty($id) && !empty($modSettings['globalCookies']))
-		smf_setcookie($identifier, $data, time() + $cookie_length, $cookie_url[1], '');
+	if (empty($id) && !empty($modSettings['globalCookies'])) {
+			smf_setcookie($identifier, $data, time() + $cookie_length, $cookie_url[1], '');
+	}
 
 	$_COOKIE[$identifier] = $data;
 }
@@ -184,23 +192,28 @@ 
 	$parsed_url = parse_url($boardurl);
 
 	// Is local cookies off?
-	if (empty($parsed_url['path']) || !$local)
-		$parsed_url['path'] = '';
+	if (empty($parsed_url['path']) || !$local) {
+			$parsed_url['path'] = '';
+	}
 
-	if (!empty($modSettings['globalCookiesDomain']) && strpos($boardurl, $modSettings['globalCookiesDomain']) !== false)
-		$parsed_url['host'] = $modSettings['globalCookiesDomain'];
+	if (!empty($modSettings['globalCookiesDomain']) && strpos($boardurl, $modSettings['globalCookiesDomain']) !== false) {
+			$parsed_url['host'] = $modSettings['globalCookiesDomain'];
+	}
 
 	// Globalize cookies across domains (filter out IP-addresses)?
-	elseif ($global && preg_match('~^\d{1,3}(\.\d{1,3}){3}$~', $parsed_url['host']) == 0 && preg_match('~(?:[^\.]+\.)?([^\.]{2,}\..+)\z~i', $parsed_url['host'], $parts) == 1)
-		$parsed_url['host'] = '.' . $parts[1];
+	elseif ($global && preg_match('~^\d{1,3}(\.\d{1,3}){3}$~', $parsed_url['host']) == 0 && preg_match('~(?:[^\.]+\.)?([^\.]{2,}\..+)\z~i', $parsed_url['host'], $parts) == 1) {
+			$parsed_url['host'] = '.' . $parts[1];
+	}
 
 	// We shouldn't use a host at all if both options are off.
-	elseif (!$local && !$global)
-		$parsed_url['host'] = '';
+	elseif (!$local && !$global) {
+			$parsed_url['host'] = '';
+	}
 
 	// The host also shouldn't be set if there aren't any dots in it.
-	elseif (!isset($parsed_url['host']) || strpos($parsed_url['host'], '.') === false)
-		$parsed_url['host'] = '';
+	elseif (!isset($parsed_url['host']) || strpos($parsed_url['host'], '.') === false) {
+			$parsed_url['host'] = '';
+	}
 
 	return array($parsed_url['host'], $parsed_url['path'] . '/');
 }
@@ -219,8 +232,9 @@ 
 	createToken('login');
 
 	// Never redirect to an attachment
-	if (strpos($_SERVER['REQUEST_URL'], 'dlattach') === false)
-		$_SESSION['login_url'] = $_SERVER['REQUEST_URL'];
+	if (strpos($_SERVER['REQUEST_URL'], 'dlattach') === false) {
+			$_SESSION['login_url'] = $_SERVER['REQUEST_URL'];
+	}
 
 	$context['sub_template'] = 'kick_guest';
 	$context['page_title'] = $txt['login'];
@@ -275,10 +289,12 @@ 
 		$txt['security_wrong'] = sprintf($txt['security_wrong'], isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : $txt['unknown'], $_SERVER['HTTP_USER_AGENT'], $user_info['ip']);
 		log_error($txt['security_wrong'], 'critical');
 
-		if (isset($_POST[$type . '_hash_pass']))
-			unset($_POST[$type . '_hash_pass']);
-		if (isset($_POST[$type . '_pass']))
-			unset($_POST[$type . '_pass']);
+		if (isset($_POST[$type . '_hash_pass'])) {
+					unset($_POST[$type . '_hash_pass']);
+		}
+		if (isset($_POST[$type . '_pass'])) {
+					unset($_POST[$type . '_pass']);
+		}
 
 		$context['incorrect_password'] = true;
 	}
@@ -291,15 +307,17 @@ 
 
 	// Now go through $_POST.  Make sure the session hash is sent.
 	$_POST[$context['session_var']] = $context['session_id'];
-	foreach ($_POST as $k => $v)
-		$context['post_data'] .= adminLogin_outputPostVars($k, $v);
+	foreach ($_POST as $k => $v) {
+			$context['post_data'] .= adminLogin_outputPostVars($k, $v);
+	}
 
 	// Now we'll use the admin_login sub template of the Login template.
 	$context['sub_template'] = 'admin_login';
 
 	// And title the page something like "Login".
-	if (!isset($context['page_title']))
-		$context['page_title'] = $txt['login'];
+	if (!isset($context['page_title'])) {
+			$context['page_title'] = $txt['login'];
+	}
 
 	// The type of action.
 	$context['sessionCheckType'] = $type;
@@ -322,14 +340,15 @@ 
 {
 	global $smcFunc;
 
-	if (!is_array($v))
-		return '
+	if (!is_array($v)) {
+			return '
 <input type="hidden" name="' . $smcFunc['htmlspecialchars']($k) . '" value="' . strtr($v, array('"' => '&quot;', '<' => '&lt;', '>' => '&gt;')) . '">';
-	else
+	} else
 	{
 		$ret = '';
-		foreach ($v as $k2 => $v2)
-			$ret .= adminLogin_outputPostVars($k . '[' . $k2 . ']', $v2);
+		foreach ($v as $k2 => $v2) {
+					$ret .= adminLogin_outputPostVars($k . '[' . $k2 . ']', $v2);
+		}
 
 		return $ret;
 	}
@@ -356,18 +375,20 @@ 
 		foreach ($get as $k => $v)
 		{
 			// Only if it's not already in the $scripturl!
-			if (!isset($temp[$k]))
-				$query_string .= urlencode($k) . '=' . urlencode($v) . ';';
+			if (!isset($temp[$k])) {
+							$query_string .= urlencode($k) . '=' . urlencode($v) . ';';
+			}
 			// If it changed, put it out there, but with an ampersand.
-			elseif ($temp[$k] != $get[$k])
-				$query_string .= urlencode($k) . '=' . urlencode($v) . '&amp;';
+			elseif ($temp[$k] != $get[$k]) {
+							$query_string .= urlencode($k) . '=' . urlencode($v) . '&amp;';
+			}
 		}
-	}
-	else
+	} else
 	{
 		// Add up all the data from $_GET into get_data.
-		foreach ($get as $k => $v)
-			$query_string .= urlencode($k) . '=' . urlencode($v) . ';';
+		foreach ($get as $k => $v) {
+					$query_string .= urlencode($k) . '=' . urlencode($v) . ';';
+		}
 	}
 
 	$query_string = substr($query_string, 0, -1);
@@ -390,8 +411,9 @@ 
 	global $scripturl, $user_info, $smcFunc;
 
 	// If it's not already an array, make it one.
-	if (!is_array($names))
-		$names = explode(',', $names);
+	if (!is_array($names)) {
+			$names = explode(',', $names);
+	}
 
 	$maybe_email = false;
 	$names_list = array();
@@ -403,10 +425,11 @@ 
 		$maybe_email |= strpos($name, '@') !== false;
 
 		// Make it so standard wildcards will work. (* and ?)
-		if ($use_wildcards)
-			$names[$i] = strtr($names[$i], array('%' => '\%', '_' => '\_', '*' => '%', '?' => '_', '\'' => '&#039;'));
-		else
-			$names[$i] = strtr($names[$i], array('\'' => '&#039;'));
+		if ($use_wildcards) {
+					$names[$i] = strtr($names[$i], array('%' => '\%', '_' => '\_', '*' => '%', '?' => '_', '\'' => '&#039;'));
+		} else {
+					$names[$i] = strtr($names[$i], array('\'' => '&#039;'));
+		}
 
 		$names_list[] = '{string:lookup_name_' . $i . '}';
 		$where_params['lookup_name_' . $i] = $names[$i];
@@ -419,11 +442,12 @@ 
 	$results = array();
 
 	// This ensures you can't search someones email address if you can't see it.
-	if (($use_wildcards || $maybe_email) && allowedTo('moderate_forum'))
-		$email_condition = '
+	if (($use_wildcards || $maybe_email) && allowedTo('moderate_forum')) {
+			$email_condition = '
 			OR (email_address ' . $comparison . ' \'' . implode('\') OR (email_address ' . $comparison . ' \'', $names) . '\')';
-	else
-		$email_condition = '';
+	} else {
+			$email_condition = '';
+	}
 
 	// Get the case of the columns right - but only if we need to as things like MySQL will go slow needlessly otherwise.
 	$member_name = $smcFunc['db_case_sensitive'] ? 'LOWER(member_name)' : 'member_name';
@@ -482,10 +506,11 @@ 
 	$context['template_layers'] = array();
 	$context['sub_template'] = 'find_members';
 
-	if (isset($_REQUEST['search']))
-		$context['last_search'] = $smcFunc['htmlspecialchars']($_REQUEST['search'], ENT_QUOTES);
-	else
-		$_REQUEST['start'] = 0;
+	if (isset($_REQUEST['search'])) {
+			$context['last_search'] = $smcFunc['htmlspecialchars']($_REQUEST['search'], ENT_QUOTES);
+	} else {
+			$_REQUEST['start'] = 0;
+	}
 
 	// Allow the user to pass the input to be added to to the box.
 	$context['input_box_name'] = isset($_REQUEST['input']) && preg_match('~^[\w-]+$~', $_REQUEST['input']) === 1 ? $_REQUEST['input'] : 'to';
@@ -526,10 +551,10 @@ 
 		);
 
 		$context['results'] = array_slice($context['results'], $_REQUEST['start'], 7);
+	} else {
+			$context['links']['up'] = $scripturl . '?action=pm;sa=send' . (empty($_REQUEST['u']) ? '' : ';u=' . $_REQUEST['u']);
+	}
 	}
-	else
-		$context['links']['up'] = $scripturl . '?action=pm;sa=send' . (empty($_REQUEST['u']) ? '' : ';u=' . $_REQUEST['u']);
-}
 
 /**
  * Outputs each member name on its own line.
@@ -545,8 +570,9 @@ 
 	$_REQUEST['search'] = trim($smcFunc['strtolower']($_REQUEST['search']));
 	$_REQUEST['search'] = strtr($_REQUEST['search'], array('%' => '\%', '_' => '\_', '*' => '%', '?' => '_', '&#038;' => '&amp;'));
 
-	if (function_exists('iconv'))
-		header('Content-Type: text/plain; charset=UTF-8');
+	if (function_exists('iconv')) {
+			header('Content-Type: text/plain; charset=UTF-8');
+	}
 
 	$request = $smcFunc['db_query']('', '
 		SELECT real_name
@@ -566,14 +592,16 @@ 
 		if (function_exists('iconv'))
 		{
 			$utf8 = iconv($txt['lang_character_set'], 'UTF-8', $row['real_name']);
-			if ($utf8)
-				$row['real_name'] = $utf8;
+			if ($utf8) {
+							$row['real_name'] = $utf8;
+			}
 		}
 
 		$row['real_name'] = strtr($row['real_name'], array('&amp;' => '&#038;', '&lt;' => '&#060;', '&gt;' => '&#062;', '&quot;' => '&#034;'));
 
-		if (preg_match('~&#\d+;~', $row['real_name']) != 0)
-			$row['real_name'] = preg_replace_callback('~&#(\d+);~', 'fixchar__callback', $row['real_name']);
+		if (preg_match('~&#\d+;~', $row['real_name']) != 0) {
+					$row['real_name'] = preg_replace_callback('~&#(\d+);~', 'fixchar__callback', $row['real_name']);
+		}
 
 		echo $row['real_name'], "\n";
 	}
@@ -630,9 +658,9 @@ 
 
 		// Update the database...
 		updateMemberData($memID, array('member_name' => $user, 'passwd' => $newPassword_sha1));
+	} else {
+			updateMemberData($memID, array('passwd' => $newPassword_sha1));
 	}
-	else
-		updateMemberData($memID, array('passwd' => $newPassword_sha1));
 
 	call_integration_hook('integrate_reset_pass', array($old_user, $user, $newPassword));
 
@@ -663,31 +691,37 @@ 
 	$errors = array();
 
 	// Don't use too long a name.
-	if ($smcFunc['strlen']($username) > 25)
-		$errors[] = array('lang', 'error_long_name');
+	if ($smcFunc['strlen']($username) > 25) {
+			$errors[] = array('lang', 'error_long_name');
+	}
 
 	// No name?!  How can you register with no name?
-	if ($username == '')
-		$errors[] = array('lang', 'need_username');
+	if ($username == '') {
+			$errors[] = array('lang', 'need_username');
+	}
 
 	// Only these characters are permitted.
-	if (in_array($username, array('_', '|')) || preg_match('~[<>&"\'=\\\\]~', preg_replace('~&#(?:\\d{1,7}|x[0-9a-fA-F]{1,6});~', '', $username)) != 0 || strpos($username, '[code') !== false || strpos($username, '[/code') !== false)
-		$errors[] = array('lang', 'error_invalid_characters_username');
+	if (in_array($username, array('_', '|')) || preg_match('~[<>&"\'=\\\\]~', preg_replace('~&#(?:\\d{1,7}|x[0-9a-fA-F]{1,6});~', '', $username)) != 0 || strpos($username, '[code') !== false || strpos($username, '[/code') !== false) {
+			$errors[] = array('lang', 'error_invalid_characters_username');
+	}
 
-	if (stristr($username, $txt['guest_title']) !== false)
-		$errors[] = array('lang', 'username_reserved', 'general', array($txt['guest_title']));
+	if (stristr($username, $txt['guest_title']) !== false) {
+			$errors[] = array('lang', 'username_reserved', 'general', array($txt['guest_title']));
+	}
 
 	if ($check_reserved_name)
 	{
 		require_once($sourcedir . '/Subs-Members.php');
-		if (isReservedName($username, $memID, false))
-			$errors[] = array('done', '(' . $smcFunc['htmlspecialchars']($username) . ') ' . $txt['name_in_use']);
+		if (isReservedName($username, $memID, false)) {
+					$errors[] = array('done', '(' . $smcFunc['htmlspecialchars']($username) . ') ' . $txt['name_in_use']);
+		}
 	}
 
-	if ($return_error)
-		return $errors;
-	elseif (empty($errors))
-		return null;
+	if ($return_error) {
+			return $errors;
+	} elseif (empty($errors)) {
+			return null;
+	}
 
 	loadLanguage('Errors');
 	$error = $errors[0];
@@ -713,22 +747,26 @@ 
 	global $modSettings, $smcFunc;
 
 	// Perform basic requirements first.
-	if ($smcFunc['strlen']($password) < (empty($modSettings['password_strength']) ? 4 : 8))
-		return 'short';
+	if ($smcFunc['strlen']($password) < (empty($modSettings['password_strength']) ? 4 : 8)) {
+			return 'short';
+	}
 
 	// Is this enough?
-	if (empty($modSettings['password_strength']))
-		return null;
+	if (empty($modSettings['password_strength'])) {
+			return null;
+	}
 
 	// Otherwise, perform the medium strength test - checking if password appears in the restricted string.
-	if (preg_match('~\b' . preg_quote($password, '~') . '\b~', implode(' ', $restrict_in)) != 0)
-		return 'restricted_words';
-	elseif ($smcFunc['strpos']($password, $username) !== false)
-		return 'restricted_words';
+	if (preg_match('~\b' . preg_quote($password, '~') . '\b~', implode(' ', $restrict_in)) != 0) {
+			return 'restricted_words';
+	} elseif ($smcFunc['strpos']($password, $username) !== false) {
+			return 'restricted_words';
+	}
 
 	// If just medium, we're done.
-	if ($modSettings['password_strength'] == 1)
-		return null;
+	if ($modSettings['password_strength'] == 1) {
+			return null;
+	}
 
 	// Otherwise, hard test next, check for numbers and letters, uppercase too.
 	$good = preg_match('~(\D\d|\d\D)~', $password) != 0;
@@ -760,14 +798,16 @@ 
 			)
 		);
 		$groups = array();
-		while ($row = $smcFunc['db_fetch_assoc']($request))
-			$groups[] = $row['id_group'];
+		while ($row = $smcFunc['db_fetch_assoc']($request)) {
+					$groups[] = $row['id_group'];
+		}
 		$smcFunc['db_free_result']($request);
 
-		if (empty($groups))
-			$group_query = '0=1';
-		else
-			$group_query = 'id_group IN (' . implode(',', $groups) . ')';
+		if (empty($groups)) {
+					$group_query = '0=1';
+		} else {
+					$group_query = 'id_group IN (' . implode(',', $groups) . ')';
+		}
 	}
 
 	// Then, same again, just the boards this time!
@@ -777,10 +817,11 @@ 
 	{
 		$boards = boardsAllowedTo('moderate_board', true);
 
-		if (empty($boards))
-			$board_query = '0=1';
-		else
-			$board_query = 'id_board IN (' . implode(',', $boards) . ')';
+		if (empty($boards)) {
+					$board_query = '0=1';
+		} else {
+					$board_query = 'id_board IN (' . implode(',', $boards) . ')';
+		}
 	}
 
 	// What boards are they the moderator of?
@@ -795,8 +836,9 @@ 
 				'current_member' => $user_info['id'],
 			)
 		);
-		while ($row = $smcFunc['db_fetch_assoc']($request))
-			$boards_mod[] = $row['id_board'];
+		while ($row = $smcFunc['db_fetch_assoc']($request)) {
+					$boards_mod[] = $row['id_board'];
+		}
 		$smcFunc['db_free_result']($request);
 
 		// Can any of the groups they're in moderate any of the boards?
@@ -808,8 +850,9 @@ 
 				'groups' => $user_info['groups'],
 			)
 		);
-		while ($row = $smcFunc['db_fetch_assoc']($request))
-			$boards_mod[] = $row['id_board'];
+		while ($row = $smcFunc['db_fetch_assoc']($request)) {
+					$boards_mod[] = $row['id_board'];
+		}
 		$smcFunc['db_free_result']($request);
 
 		// Just in case we've got duplicates here...
@@ -854,10 +897,12 @@ 
 	global $modSettings;
 
 	// In case a customization wants to override the default settings
-	if ($httponly === null)
-		$httponly = !empty($modSettings['httponlyCookies']);
-	if ($secure === null)
-		$secure = !empty($modSettings['secureCookies']);
+	if ($httponly === null) {
+			$httponly = !empty($modSettings['httponlyCookies']);
+	}
+	if ($secure === null) {
+			$secure = !empty($modSettings['secureCookies']);
+	}
 
 	// Intercept cookie?
 	call_integration_hook('integrate_cookie', array($name, $value, $expire, $path, $domain, $secure, $httponly));
@@ -877,8 +922,9 @@ 
 function hash_password($username, $password, $cost = null)
 {
 	global $sourcedir, $smcFunc, $modSettings;
-	if (!function_exists('password_hash'))
-		require_once($sourcedir . '/Subs-Password.php');
+	if (!function_exists('password_hash')) {
+			require_once($sourcedir . '/Subs-Password.php');
+	}
 
 	$cost = empty($cost) ? (empty($modSettings['bcrypt_hash_cost']) ? 10 : $modSettings['bcrypt_hash_cost']) : $cost;
 
@@ -910,8 +956,9 @@ 
 function hash_verify_password($username, $password, $hash)
 {
 	global $sourcedir, $smcFunc;
-	if (!function_exists('password_verify'))
-		require_once($sourcedir . '/Subs-Password.php');
+	if (!function_exists('password_verify')) {
+			require_once($sourcedir . '/Subs-Password.php');
+	}
 
 	return password_verify($smcFunc['strtolower']($username) . $password, $hash);
 }