This project does not seem to handle request data directly as such no vulnerable execution paths were found.
include
, or for example
via PHP's auto-loading mechanism.
These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more
1 | <?php |
||
2 | |||
3 | //------------------------------------------------------------------------------ |
||
4 | // |
||
5 | // eTraxis - Records tracking web-based system |
||
6 | // Copyright (C) 2004-2011 Artem Rodygin |
||
7 | // |
||
8 | // This program is free software: you can redistribute it and/or modify |
||
9 | // it under the terms of the GNU General Public License as published by |
||
10 | // the Free Software Foundation, either version 3 of the License, or |
||
11 | // (at your option) any later version. |
||
12 | // |
||
13 | // This program is distributed in the hope that it will be useful, |
||
14 | // but WITHOUT ANY WARRANTY; without even the implied warranty of |
||
15 | // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
||
16 | // GNU General Public License for more details. |
||
17 | // |
||
18 | // You should have received a copy of the GNU General Public License |
||
19 | // along with this program. If not, see <http://www.gnu.org/licenses/>. |
||
20 | // |
||
21 | //------------------------------------------------------------------------------ |
||
22 | |||
23 | /** |
||
24 | * Sessions |
||
25 | * |
||
26 | * This module implements user sessions in eTraxis. |
||
27 | * |
||
28 | * @package Engine |
||
29 | * @subpackage Sessions |
||
30 | */ |
||
31 | |||
32 | /**#@+ |
||
33 | * Dependency. |
||
34 | */ |
||
35 | require_once('../engine/debug.php'); |
||
36 | require_once('../engine/timezone.php'); |
||
37 | require_once('../engine/locale.php'); |
||
38 | require_once('../engine/cookies.php'); |
||
39 | require_once('../engine/dal.php'); |
||
40 | require_once('../engine/ldap.php'); |
||
41 | require_once('../dbo/accounts.php'); |
||
42 | /**#@-*/ |
||
43 | |||
44 | //------------------------------------------------------------------------------ |
||
45 | // Definitions. |
||
46 | //------------------------------------------------------------------------------ |
||
47 | |||
48 | /**#@+ |
||
49 | * Session variable. |
||
50 | */ |
||
51 | define('VAR_ERROR', 'eTraxis_Error'); |
||
52 | define('VAR_USERID', 'eTraxis_UserID'); |
||
53 | define('VAR_USERNAME', 'eTraxis_UserName'); |
||
54 | define('VAR_FULLNAME', 'eTraxis_FullName'); |
||
55 | define('VAR_PASSWD_EXPIRE', 'eTraxis_PasswdExpire'); |
||
56 | define('VAR_ISADMIN', 'eTraxis_IsAdmin'); |
||
57 | define('VAR_LDAPUSER', 'eTraxis_LdapUser'); |
||
58 | define('VAR_TIMEZONE', 'eTraxis_Timezone'); |
||
59 | define('VAR_TEXTROWS', 'eTraxis_TextRows'); |
||
60 | define('VAR_PAGEROWS', 'eTraxis_PageRows'); |
||
61 | define('VAR_PAGEBKMS', 'eTraxis_PageBkms'); |
||
62 | define('VAR_AUTO_REFRESH', 'eTraxis_AutoRefresh'); |
||
63 | define('VAR_DELIMITER', 'eTraxis_Delimiter'); |
||
64 | define('VAR_ENCODING', 'eTraxis_Encoding'); |
||
65 | define('VAR_LINE_ENDINGS', 'eTraxis_LineEndings'); |
||
66 | define('VAR_VIEW', 'eTraxis_View'); |
||
67 | define('VAR_THEME_NAME', 'eTraxis_ThemeName'); |
||
68 | define('VAR_SEARCH_MODE', 'eTraxis_SearchMode'); |
||
69 | define('VAR_SEARCH_TEXT', 'eTraxis_SearchText'); |
||
70 | define('VAR_USE_FILTERS', 'eTraxis_UseFilter'); |
||
71 | define('VAR_LDAP_ENUMERATION', 'eTraxis_LdapEnumeration'); |
||
72 | /**#@-*/ |
||
73 | |||
74 | /**#@+ |
||
75 | * User level. |
||
76 | */ |
||
77 | define('USER_LEVEL_GUEST', 1); |
||
78 | define('USER_LEVEL_NORMAL', 2); |
||
79 | define('USER_LEVEL_ADMIN', 3); |
||
80 | /**#@-*/ |
||
81 | |||
82 | /** |
||
83 | * ID for guest. |
||
84 | */ |
||
85 | define('GUEST_USER_ID', 0); |
||
86 | |||
87 | /**#@+ |
||
88 | * Type of a page to be loaded. |
||
89 | */ |
||
90 | define('LOAD_CONTAINER', 1); |
||
91 | define('LOAD_TAB', 2); |
||
92 | define('LOAD_INLINE', 3); |
||
93 | define('LOAD_RSS', 4); |
||
94 | /**#@-*/ |
||
95 | |||
96 | /** |
||
97 | * Flag that guest is allowed to access a page. |
||
98 | */ |
||
99 | define('GUEST_IS_ALLOWED', TRUE); |
||
100 | |||
101 | // Encodings. |
||
102 | $encodings = array |
||
103 | ( |
||
104 | 1 => 'UTF-8', |
||
105 | 2 => 'UCS-2', |
||
106 | 3 => 'ISO-8859-1', |
||
107 | 4 => 'ISO-8859-2', |
||
108 | 5 => 'ISO-8859-3', |
||
109 | 6 => 'ISO-8859-4', |
||
110 | 7 => 'ISO-8859-5', |
||
111 | 8 => 'ISO-8859-6', |
||
112 | 9 => 'ISO-8859-7', |
||
113 | 10 => 'ISO-8859-8', |
||
114 | 11 => 'ISO-8859-9', |
||
115 | 12 => 'ISO-8859-10', |
||
116 | 13 => 'ISO-8859-13', |
||
117 | 14 => 'ISO-8859-14', |
||
118 | 15 => 'ISO-8859-15', |
||
119 | 16 => 'KOI8-R', |
||
120 | 17 => 'Windows-1251', |
||
121 | 18 => 'Windows-1252', |
||
122 | ); |
||
123 | |||
124 | // Line endings. |
||
125 | $line_endings_names = array |
||
126 | ( |
||
127 | 1 => 'Windows', |
||
128 | 2 => 'Unix', |
||
129 | 3 => 'Mac', |
||
130 | ); |
||
131 | |||
132 | $line_endings_chars = array |
||
133 | ( |
||
134 | 1 => "\r\n", |
||
135 | 2 => "\n", |
||
136 | 3 => "\r", |
||
137 | ); |
||
138 | |||
139 | /**#@+ |
||
140 | * Default settings. |
||
141 | */ |
||
142 | define('DEFAULT_PAGE_ROWS', 20); |
||
143 | define('DEFAULT_PAGE_BKMS', 10); |
||
144 | define('DEFAULT_AUTO_REFRESH', 0); |
||
145 | define('DEFAULT_DELIMITER', 0x2C); |
||
146 | define('DEFAULT_ENCODING', 1); |
||
147 | define('DEFAULT_LINE_ENDINGS', 1); |
||
148 | /**#@-*/ |
||
149 | |||
150 | /**#@+ |
||
151 | * List size restriction. |
||
152 | */ |
||
153 | define('MIN_PAGE_SIZE', 10); |
||
154 | define('MAX_PAGE_SIZE', 100); |
||
155 | /**#@-*/ |
||
156 | |||
157 | /**#@+ |
||
158 | * Autorefresh interval restriction (in seconds). |
||
159 | */ |
||
160 | define('MIN_AUTO_REFRESH', 0); |
||
161 | define('MAX_AUTO_REFRESH', 1440); |
||
162 | /**#@-*/ |
||
163 | |||
164 | //------------------------------------------------------------------------------ |
||
165 | // Functions. |
||
166 | //------------------------------------------------------------------------------ |
||
167 | |||
168 | /** |
||
169 | * Creates (initializes) anonymous session before user is authorized. |
||
170 | * |
||
171 | * @return string The session ID for the newly created session. |
||
172 | */ |
||
173 | function create_session () |
||
174 | { |
||
175 | error_reporting(E_ALL); |
||
176 | |||
177 | if (DEBUG_MODE == DEBUG_MODE_OFF) |
||
178 | { |
||
179 | assert_options(ASSERT_ACTIVE, 0); |
||
180 | } |
||
181 | else |
||
182 | { |
||
183 | assert_options(ASSERT_ACTIVE, 1); |
||
184 | assert_options(ASSERT_WARNING, 1); |
||
185 | assert_options(ASSERT_BAIL, 0); |
||
186 | assert_options(ASSERT_QUIET_EVAL, 0); |
||
187 | assert_options(ASSERT_CALLBACK, NULL); |
||
188 | } |
||
189 | |||
190 | return session_id(); |
||
191 | } |
||
192 | |||
193 | /** |
||
194 | * Opens new session (preliminary created with {@link create_session}) for successfully authorized user (user becomes logged in). |
||
195 | * |
||
196 | * @param int $userid Account ID of authorized user (see <i>account_id</i> of <i>tbl_accounts</i> database table). |
||
197 | * @return string The session ID. |
||
198 | */ |
||
199 | function open_session ($userid) |
||
200 | { |
||
201 | debug_write_log(DEBUG_TRACE, '[open_session]'); |
||
202 | debug_write_log(DEBUG_DUMP, '[open_session] $userid = ' . $userid); |
||
203 | |||
204 | global $encodings; |
||
205 | global $line_endings_chars; |
||
206 | |||
207 | $_SESSION[VAR_USERID] = $userid; |
||
208 | $_SESSION[VAR_USERNAME] = get_html_resource(RES_GUEST_ID); |
||
209 | $_SESSION[VAR_FULLNAME] = get_html_resource(RES_GUEST_ID); |
||
210 | $_SESSION[VAR_PASSWD_EXPIRE] = 0; |
||
211 | $_SESSION[VAR_ISADMIN] = FALSE; |
||
212 | $_SESSION[VAR_LDAPUSER] = FALSE; |
||
213 | $_SESSION[VAR_LOCALE] = get_browser_locale(); |
||
214 | $_SESSION[VAR_TIMEZONE] = intval(date('Z')); |
||
215 | $_SESSION[VAR_TEXTROWS] = HTML_TEXTBOX_DEFAULT_HEIGHT; |
||
216 | $_SESSION[VAR_PAGEROWS] = DEFAULT_PAGE_ROWS; |
||
217 | $_SESSION[VAR_PAGEBKMS] = DEFAULT_PAGE_BKMS; |
||
218 | $_SESSION[VAR_AUTO_REFRESH] = DEFAULT_AUTO_REFRESH; |
||
219 | $_SESSION[VAR_DELIMITER] = chr(DEFAULT_DELIMITER); |
||
220 | $_SESSION[VAR_ENCODING] = $encodings[DEFAULT_ENCODING]; |
||
221 | $_SESSION[VAR_LINE_ENDINGS] = $line_endings_chars[DEFAULT_LINE_ENDINGS]; |
||
222 | $_SESSION[VAR_VIEW] = NULL; |
||
223 | $_SESSION[VAR_THEME_NAME] = THEME_DEFAULT; |
||
224 | $_SESSION[VAR_SEARCH_MODE] = FALSE; |
||
225 | $_SESSION[VAR_SEARCH_TEXT] = NULL; |
||
226 | $_SESSION[VAR_USE_FILTERS] = FALSE; |
||
227 | $_SESSION[VAR_LDAP_ENUMERATION] = NULL; |
||
228 | |||
229 | return session_id(); |
||
230 | } |
||
231 | |||
232 | /** |
||
233 | * Closes current session (user becomes logged off). |
||
234 | */ |
||
235 | function close_session () |
||
236 | { |
||
237 | unset($_SESSION[VAR_ERROR]); |
||
238 | unset($_SESSION[VAR_USERID]); |
||
239 | unset($_SESSION[VAR_USERNAME]); |
||
240 | unset($_SESSION[VAR_FULLNAME]); |
||
241 | unset($_SESSION[VAR_PASSWD_EXPIRE]); |
||
242 | unset($_SESSION[VAR_ISADMIN]); |
||
243 | unset($_SESSION[VAR_LDAPUSER]); |
||
244 | unset($_SESSION[VAR_LOCALE]); |
||
245 | unset($_SESSION[VAR_TIMEZONE]); |
||
246 | unset($_SESSION[VAR_TEXTROWS]); |
||
247 | unset($_SESSION[VAR_PAGEROWS]); |
||
248 | unset($_SESSION[VAR_PAGEBKMS]); |
||
249 | unset($_SESSION[VAR_AUTO_REFRESH]); |
||
250 | unset($_SESSION[VAR_DELIMITER]); |
||
251 | unset($_SESSION[VAR_ENCODING]); |
||
252 | unset($_SESSION[VAR_LINE_ENDINGS]); |
||
253 | unset($_SESSION[VAR_VIEW]); |
||
254 | unset($_SESSION[VAR_THEME_NAME]); |
||
255 | unset($_SESSION[VAR_SEARCH_MODE]); |
||
256 | unset($_SESSION[VAR_SEARCH_TEXT]); |
||
257 | unset($_SESSION[VAR_USE_FILTERS]); |
||
258 | unset($_SESSION[VAR_LDAP_ENUMERATION]); |
||
259 | |||
260 | @session_destroy(); |
||
0 ignored issues
–
show
|
|||
261 | } |
||
262 | |||
263 | /** |
||
264 | * Tries to log user in eTraxis with specified credentials. |
||
265 | * |
||
266 | * @param string $username User name. |
||
267 | * @param string $passwd Password. |
||
268 | * @return int Error code: |
||
269 | * <ul> |
||
270 | * <li>{@link NO_ERROR} - user is successfully authenticated</li> |
||
271 | * <li>{@link ERROR_UNKNOWN_USERNAME} - unknown user name or bad password</li> |
||
272 | * <li>{@link ERROR_ACCOUNT_DISABLED} - account is disabled</li> |
||
273 | * <li>{@link ERROR_ACCOUNT_LOCKED} - account is locked out</li> |
||
274 | * </ul> |
||
275 | */ |
||
276 | function login_user ($username, $passwd) |
||
277 | { |
||
278 | $error = NO_ERROR; |
||
279 | |||
280 | // If '@' is specified at the end of user name, suppress looking for account in eTraxis database. |
||
281 | if (usubstr($username, ustrlen($username) - 1, 1) == '@') |
||
282 | { |
||
283 | debug_write_log(DEBUG_NOTICE, 'Found @ at the end of login.'); |
||
284 | $username = usubstr($username, 0, ustrlen($username) - 1); |
||
285 | $account = FALSE; |
||
286 | } |
||
287 | else |
||
288 | { |
||
289 | // Search account in eTraxis database. |
||
290 | $account = account_find_username($username . ACCOUNT_SUFFIX); |
||
291 | } |
||
292 | |||
293 | // If account is not found in eTraxis database (or wasn't searched at all), |
||
294 | // try to search it in Active Directory. |
||
295 | if (!$account) |
||
296 | { |
||
297 | debug_write_log(DEBUG_NOTICE, 'Unknown user name.'); |
||
298 | |||
299 | if (ustrlen($passwd) == 0) |
||
300 | { |
||
301 | debug_write_log(DEBUG_NOTICE, 'Empty password is submitted.'); |
||
302 | $error = ERROR_UNKNOWN_USERNAME; |
||
303 | } |
||
304 | elseif (LDAP_ENABLED) |
||
305 | { |
||
306 | debug_write_log(DEBUG_NOTICE, 'Trying to find Active Directory account.'); |
||
307 | |||
308 | $id = account_register_ldapuser($username, $passwd); |
||
309 | |||
310 | if (is_null($id)) |
||
311 | { |
||
312 | debug_write_log(DEBUG_NOTICE, 'Cannot find Active Directory account.'); |
||
313 | $error = ERROR_UNKNOWN_USERNAME; |
||
314 | } |
||
315 | else |
||
316 | { |
||
317 | account_set_token($id); |
||
318 | open_session($id); |
||
319 | } |
||
320 | } |
||
321 | else |
||
322 | { |
||
323 | debug_write_log(DEBUG_NOTICE, 'LDAP support is disabled.'); |
||
324 | $error = ERROR_UNKNOWN_USERNAME; |
||
325 | } |
||
326 | } |
||
327 | else |
||
328 | { |
||
329 | debug_write_log(DEBUG_NOTICE, 'User name is found in eTraxis database.'); |
||
330 | |||
331 | $account['passwd'] = trim($account['passwd']); |
||
332 | |||
333 | // Check status of account and provided password. |
||
334 | if ($account['is_disabled']) |
||
335 | { |
||
336 | debug_write_log(DEBUG_NOTICE, 'Account is disabled.'); |
||
337 | $error = ERROR_ACCOUNT_DISABLED; |
||
338 | } |
||
339 | elseif (is_account_locked($account['locks_count'], $account['lock_time'])) |
||
340 | { |
||
341 | debug_write_log(DEBUG_NOTICE, 'Account is locked out.'); |
||
342 | $error = ERROR_ACCOUNT_LOCKED; |
||
343 | } |
||
344 | elseif ($account['passwd'] != base64_encode(sha1($passwd, TRUE)) && |
||
345 | $account['passwd'] != md5($passwd)) |
||
346 | { |
||
347 | debug_write_log(DEBUG_NOTICE, 'Bad password.'); |
||
348 | account_lock($account['account_id']); |
||
349 | $error = ERROR_UNKNOWN_USERNAME; |
||
350 | } |
||
351 | else |
||
352 | { |
||
353 | // Up to version 3.6.7 passwords were stored as MD5 hashes which took 32 chars. |
||
354 | // As of 3.6.8 passwords are stored as base64-encoded SHA1 hashes which take 28 chars. |
||
355 | // For backward compatibility we let user authenticate if his password is stored as MD5-hash, |
||
356 | // but we replace the password with its SHA1-hash. |
||
357 | if (strlen($account['passwd']) == 32) |
||
358 | { |
||
359 | dal_query('accounts/passwd.sql', |
||
360 | $account['account_id'], |
||
361 | base64_encode(sha1($passwd, TRUE)), |
||
362 | $account['passwd_expire']); |
||
363 | } |
||
364 | |||
365 | account_unlock($account['account_id']); |
||
366 | account_set_token($account['account_id']); |
||
367 | open_session($account['account_id']); |
||
368 | } |
||
369 | } |
||
370 | |||
371 | return $error; |
||
372 | } |
||
373 | |||
374 | /** |
||
375 | * Returns current user level. |
||
376 | * |
||
377 | * @return int User level: |
||
378 | * <ul> |
||
379 | * <li>{@link USER_LEVEL_GUEST} - user is not logged in and has guest permissions only</li> |
||
380 | * <li>{@link USER_LEVEL_NORMAL} - user is logged in with usual permissions</li> |
||
381 | * <li>{@link USER_LEVEL_ADMIN} - user is logged in with administrative permissions</li> |
||
382 | * </ul> |
||
383 | */ |
||
384 | function get_user_level () |
||
385 | { |
||
386 | // If somewhy this variable is not set yet, force to set it. |
||
387 | if (!isset($_SESSION[VAR_USERID])) |
||
388 | { |
||
389 | $_SESSION[VAR_USERID] = 0; |
||
390 | } |
||
391 | |||
392 | // Now we know for sure that the variable exists even if user is not logged in at all. |
||
393 | if ($_SESSION[VAR_USERID] != 0) |
||
394 | { |
||
395 | return $_SESSION[VAR_ISADMIN] ? USER_LEVEL_ADMIN : USER_LEVEL_NORMAL; |
||
396 | } |
||
397 | else |
||
398 | { |
||
399 | return USER_LEVEL_GUEST; |
||
400 | } |
||
401 | } |
||
402 | |||
403 | /** |
||
404 | * Performs required initialization before execution of any PHP page. |
||
405 | * |
||
406 | * Must be called once and at the very beginning of each PHP page. |
||
407 | * |
||
408 | * @param int $page_type Type of the page. |
||
409 | * @param int $guest_is_allowed Flag that guest is allowed to access the page. |
||
410 | */ |
||
411 | function init_page ($page_type = LOAD_CONTAINER, $guest_is_allowed = FALSE) |
||
412 | { |
||
413 | global $timezones; |
||
414 | global $encodings; |
||
415 | global $line_endings_chars; |
||
416 | |||
417 | @session_start(); |
||
0 ignored issues
–
show
It seems like you do not handle an error condition here. This can introduce security issues, and is generally not recommended.
If you suppress an error, we recommend checking for the error condition explicitly: // For example instead of
@mkdir($dir);
// Better use
if (@mkdir($dir) === false) {
throw new \RuntimeException('The directory '.$dir.' could not be created.');
}
Loading history...
|
|||
418 | |||
419 | if (!isset($_SESSION[VAR_ERROR])) |
||
420 | { |
||
421 | $_SESSION[VAR_ERROR] = NO_ERROR; |
||
422 | } |
||
423 | |||
424 | if (get_magic_quotes_gpc() != 0) |
||
425 | { |
||
426 | foreach ($_REQUEST as $key => $value) |
||
427 | { |
||
428 | if (is_array($value)) |
||
429 | { |
||
430 | foreach ($value as $subkey => $subvalue) |
||
431 | { |
||
432 | $_REQUEST[$key][$subkey] = stripslashes($subvalue); |
||
433 | } |
||
434 | } |
||
435 | else |
||
436 | { |
||
437 | $_REQUEST[$key] = stripslashes($value); |
||
438 | } |
||
439 | } |
||
440 | } |
||
441 | |||
442 | if (get_user_level() == USER_LEVEL_GUEST) |
||
443 | { |
||
444 | create_session(); |
||
445 | open_session(account_get_token(NULL)); |
||
446 | } |
||
447 | |||
448 | if (get_user_level() == USER_LEVEL_GUEST) |
||
449 | { |
||
450 | debug_write_log(DEBUG_NOTICE, '[init_page] User is not authorized.'); |
||
451 | |||
452 | // Force the guest to log in |
||
453 | if (!$guest_is_allowed) |
||
0 ignored issues
–
show
The expression
$guest_is_allowed of type false|integer is loosely compared to false ; this is ambiguous if the integer can be zero. You might want to explicitly use === null instead.
In PHP, under loose comparison (like For 0 == false // true
0 == null // true
123 == false // false
123 == null // false
// It is often better to use strict comparison
0 === false // false
0 === null // false
Loading history...
|
|||
454 | { |
||
455 | debug_write_log(DEBUG_NOTICE, '[init_page] Guest must be logged in.'); |
||
456 | save_cookie(COOKIE_URI, $_SERVER['REQUEST_URI']); |
||
457 | |||
458 | if ($page_type == LOAD_CONTAINER) |
||
459 | { |
||
460 | header('Location: ' . WEBROOT . 'logon/index.php'); |
||
461 | } |
||
462 | elseif ($page_type == LOAD_INLINE) |
||
463 | { |
||
464 | header('HTTP/1.1 307 ' . WEBROOT . 'logon/index.php'); |
||
465 | } |
||
466 | elseif ($page_type == LOAD_RSS) |
||
467 | { |
||
468 | debug_write_log(DEBUG_NOTICE, '[init_page] Request for HTTP Basic Auth.'); |
||
469 | header('WWW-Authenticate: Basic realm="eTraxis RSS"'); |
||
470 | header('HTTP/1.0 401 Unauthorized'); |
||
471 | } |
||
472 | |||
473 | exit; |
||
474 | } |
||
475 | } |
||
476 | else |
||
477 | { |
||
478 | $rs = dal_query('accounts/fndid2.sql', |
||
479 | $_SESSION[VAR_USERID], |
||
480 | time(), |
||
481 | LOCKS_COUNT, |
||
482 | time() - LOCKS_TIMEOUT * 60); |
||
483 | |||
484 | if ($rs->rows == 0) |
||
485 | { |
||
486 | debug_write_log(DEBUG_NOTICE, '[init_page] Specified user cannot be authorized.'); |
||
487 | open_session(GUEST_USER_ID); |
||
488 | } |
||
489 | else |
||
490 | { |
||
491 | $account = $rs->fetch(); |
||
492 | $account['passwd'] = trim($account['passwd']); |
||
493 | |||
494 | // Up to version 3.6.7 passwords were stored as MD5 hashes which took 32 chars. |
||
495 | // As of 3.6.8 passwords are stored as base64-encoded SHA1 hashes which take 28 chars. |
||
496 | // For backward compatibility we let user authenticate if his password is stored as MD5-hash, |
||
497 | // but we have to replace the password with its SHA1-hash. |
||
498 | // To make user enter his password as soon as possible we are forcing him to log out. |
||
499 | if (strlen($account['passwd']) == 32 && |
||
500 | !$account['is_ldapuser']) |
||
501 | { |
||
502 | debug_write_log(DEBUG_NOTICE, '[init_page] The password is stored as MD5 hash and must be updated.'); |
||
503 | open_session(GUEST_USER_ID); |
||
504 | } |
||
505 | else |
||
506 | { |
||
507 | $_SESSION[VAR_USERNAME] = account_get_username($account['username']); |
||
508 | $_SESSION[VAR_FULLNAME] = $account['fullname']; |
||
509 | $_SESSION[VAR_PASSWD_EXPIRE] = $account['passwd_expire']; |
||
510 | $_SESSION[VAR_ISADMIN] = $account['is_admin']; |
||
511 | $_SESSION[VAR_LDAPUSER] = $account['is_ldapuser']; |
||
512 | $_SESSION[VAR_LOCALE] = $account['locale']; |
||
513 | $_SESSION[VAR_TIMEZONE] = intval(date('Z')); |
||
514 | $_SESSION[VAR_TEXTROWS] = $account['text_rows']; |
||
515 | $_SESSION[VAR_PAGEROWS] = $account['page_rows']; |
||
516 | $_SESSION[VAR_PAGEBKMS] = $account['page_bkms']; |
||
517 | $_SESSION[VAR_AUTO_REFRESH] = ustr2int($account['auto_refresh'], MIN_AUTO_REFRESH, MAX_AUTO_REFRESH); |
||
518 | $_SESSION[VAR_DELIMITER] = chr($account['csv_delim']); |
||
519 | $_SESSION[VAR_ENCODING] = $encodings[$account['csv_encoding']]; |
||
520 | $_SESSION[VAR_LINE_ENDINGS] = $line_endings_chars[$account['csv_line_ends']]; |
||
521 | $_SESSION[VAR_VIEW] = $account['view_id']; |
||
522 | $_SESSION[VAR_THEME_NAME] = $account['theme_name']; |
||
523 | |||
524 | if ($account['timezone'] > 0 && |
||
525 | $account['timezone'] <= count($timezones)) |
||
526 | { |
||
527 | $_SESSION[VAR_TIMEZONE] = timezone_offset_get(timezone_open($timezones[$account['timezone']]), date_create()); |
||
528 | } |
||
529 | |||
530 | save_cookie(COOKIE_AUTH_USERID, $_SESSION[VAR_USERID]); |
||
531 | save_cookie(COOKIE_AUTH_TOKEN, $account['auth_token']); |
||
532 | |||
533 | dal_query('accounts/settoken2.sql', $_SESSION[VAR_USERID], time() + SESSION_EXPIRE * 60); |
||
534 | |||
535 | if ((strpos($_SERVER['PHP_SELF'], '/settings/') === FALSE ) && |
||
536 | (PASSWORD_EXPIRATION != 0 ) && |
||
537 | ($_SESSION[VAR_PASSWD_EXPIRE] + PASSWORD_EXPIRATION * SECS_IN_DAY < time()) && |
||
538 | (!$_SESSION[VAR_LDAPUSER] )) |
||
539 | { |
||
540 | debug_write_log(DEBUG_NOTICE, '[init_page] Password is expired.'); |
||
541 | |||
542 | save_cookie(COOKIE_URI, $_SERVER['REQUEST_URI']); |
||
543 | |||
544 | if ($page_type == LOAD_CONTAINER) |
||
545 | { |
||
546 | header('Location: ' . WEBROOT . 'settings/index.php?tab=3'); |
||
547 | } |
||
548 | elseif ($page_type == LOAD_INLINE) |
||
549 | { |
||
550 | header('HTTP/1.1 307 ' . WEBROOT . 'settings/index.php?tab=3'); |
||
551 | } |
||
552 | |||
553 | exit; |
||
554 | } |
||
555 | |||
556 | clear_cookie(COOKIE_URI); |
||
557 | } |
||
558 | } |
||
559 | } |
||
560 | } |
||
561 | |||
562 | ?> |
||
563 |
If you suppress an error, we recommend checking for the error condition explicitly: