mirror of
https://github.com/YunoHost-Apps/bozon_ynh.git
synced 2024-09-03 18:16:09 +02:00
723 lines
32 KiB
PHP
723 lines
32 KiB
PHP
<?php
|
|
/**
|
|
* BoZoN admin only protection:
|
|
* part of auto_restrict lib
|
|
* @author: Bronco (bronco@warriordudimanche.net)
|
|
*
|
|
* auto_restrict
|
|
* @author bronco@warriordudimanche.com / www.warriordudimanche.net
|
|
* @copyright open source and free to adapt (keep me aware !)
|
|
* @version 4.2 - multi user
|
|
*
|
|
* This script locks a page's access
|
|
* Just include it in the page you want to lock
|
|
* It does all for you:
|
|
* - login/pass creation
|
|
* - auto redirect to login form
|
|
* - session's expiration
|
|
* - login & logout (to logout, add ?logout $_GET var)
|
|
* - referrer errors (same domain)
|
|
* - auto ban IP and (auto unban)
|
|
* - tokens to secure post and get forms (just add <?php newToken(); ?> to the form or <?php sameToken();?> to repeat a previously generated token, in case of various forms in a same page)
|
|
* - easyly secure sensitive actions adding admin password in your form (just add <?php adminPassword(); ?>, auto_restrict will exit if password is not correct)
|
|
* - secure post and get data
|
|
* - add function to ask password for sensitive/superadmin actions...
|
|
*
|
|
*
|
|
*
|
|
* Verrouille l'accès à une page
|
|
* Il suffit d'inclure ce fichier pour bloquer l'accès...
|
|
* gestion de l'expiration de session,
|
|
* gestion de la connexion et de la déconnexion.
|
|
* gestion des différences entre le domaine referer et le domaine sur lequel le script est hébergé (si différent -> pas ok)
|
|
* gestion du bannissement des adresses ip en cas de bruteforcing ou de referer anormal
|
|
* gestion des tokens de sécurisation à ajouter aux forms en une commande <?php newToken();?>; le script se charge seul de vérifier le token
|
|
* génération aléatoire de la clé de cryptage
|
|
* sécurisation par mot de passe sur les actions sensibles (il suffit d'ajouter <?php adminPassword(); ?> à un formulaire pour qu'auto_restrict bloque en cas de mauvais mot de passe)
|
|
*
|
|
* Améliorations eventuelles:
|
|
* ajouter un fichier log de connexion
|
|
*
|
|
*
|
|
* ajout 4.2 :
|
|
* ajout du statut (superadmin/admin/user) et de la langue (pour bozon)
|
|
* ajout 4.1 :
|
|
* ajout du double check de passe et du changement de mdp
|
|
* ajout 4.0 :
|
|
* ajout du support multi utilisateur
|
|
*/
|
|
@session_start();
|
|
# ------------------------------------------------------------------
|
|
# default config: initialisation
|
|
# ------------------------------------------------------------------
|
|
# you can modify this config before the include('auto_restrict.php');
|
|
if (!isset($auto_restrict['error_msg'])){ $auto_restrict['error_msg']='Erreur - impossible de se connecter.';}# utilisé si on ne veut pas rediriger
|
|
if (!isset($auto_restrict['cookie_name'])){ $auto_restrict['cookie_name']='BoZoN';}# nom du cookie
|
|
if (!isset($auto_restrict['session_expiration_delay'])){ $auto_restrict['session_expiration_delay']=90;}#minutes
|
|
if (!isset($auto_restrict['cookie_expiration_delay'])){ $auto_restrict['cookie_expiration_delay']=365;}#days
|
|
if (!isset($auto_restrict['IP_banned_expiration_delay'])){ $auto_restrict['IP_banned_expiration_delay']=90;}#seconds
|
|
if (!isset($auto_restrict['max_security_issues_before_ban'])){ $auto_restrict['max_security_issues_before_ban']=5;}
|
|
if (!isset($auto_restrict['just_die_on_errors'])){ $auto_restrict['just_die_on_errors']=true;}# end script immediately instead of include loginform in case of user not logged;
|
|
if (!isset($auto_restrict['just_die_if_not_logged'])){ $auto_restrict['just_die_if_not_logged']=false;}# end script immediately instead of include loginform in case of banished ip or referer problem;
|
|
if (!isset($auto_restrict['tokens_expiration_delay'])){ $auto_restrict['tokens_expiration_delay']=7200;}#seconds
|
|
if (!isset($auto_restrict['kill_tokens_after_use'])){ $auto_restrict['kill_tokens_after_use']=false;}#false to allow the token to survive after it was used (for a form with multiple submits, like a preview button)
|
|
if (!isset($auto_restrict['use_GET_tokens_too'])){ $auto_restrict['use_GET_tokens_too']=true;}
|
|
if (!isset($auto_restrict['use_ban_IP_on_token_errors'])){ $auto_restrict['use_ban_IP_on_token_errors']=false;}
|
|
if (!isset($auto_restrict['redirect_error'])){ $auto_restrict['redirect_error']='index.php';}# si précisé, pas de message d'erreur
|
|
if (!isset($auto_restrict['redirect_success'])){ $auto_restrict['redirect_success']='index.php?p=admin&token='.returnToken();}
|
|
if (!isset($auto_restrict['domain'])){ $auto_restrict['domain']=$_SERVER['SERVER_NAME'];}
|
|
if (!isset($auto_restrict['POST_striptags'])){ $auto_restrict['POST_striptags']=false;}# if true, all $_POST data will be strip_taged
|
|
if (!isset($auto_restrict['GET_striptags'])){ $auto_restrict['GET_striptags']=false;}# if true, all $_GET data will be strip_taged
|
|
if (!isset($auto_restrict['root'])){ $auto_restrict['root']='.';}
|
|
if (!isset($auto_restrict['path_from_root'])){ $auto_restrict['path_from_root']='';}
|
|
if (!isset($auto_restrict['add_remove_user_admin_only'])){ $auto_restrict['add_remove_user_admin_only']=true;}# only admin can add or remove a user (admin is the first user)
|
|
if (!empty($_SERVER['HTTP_REFERER'])){ $auto_restrict['referer']=returndomain($_SERVER['HTTP_REFERER']);}else{$auto_restrict['referer']='';}
|
|
$auto_restrict['path_to_my_folder']=$auto_restrict['root'].$auto_restrict['path_from_root'].'/';
|
|
$auto_restrict['path_to_files']=$auto_restrict['path_to_my_folder'].$default_private;
|
|
# ------------------------------------------------------------------
|
|
# secure $_POST & $_GET data
|
|
# ------------------------------------------------------------------
|
|
if ($auto_restrict['POST_striptags']){$_POST=array_map('strip_tags',$_POST);}
|
|
if ($auto_restrict['GET_striptags']){$_GET=array_map('strip_tags',$_GET);}
|
|
|
|
# ------------------------------------------------------------------
|
|
# create cookie token folder
|
|
# ------------------------------------------------------------------
|
|
|
|
if (!is_dir($auto_restrict['path_to_files'])){mkdir($auto_restrict['path_to_files'],0700);chmod($auto_restrict['path_to_files'],0700);}
|
|
if (!is_dir($auto_restrict['path_to_files'])){echo '<div class="error">auto_restrict error: cannot create the '.$auto_restrict['path_to_files'].' folder </div>';}
|
|
elseif (!is_writable($auto_restrict['path_to_files'])){echo '<div class="error">auto_restrict error: token folder is not writeable</div>';}
|
|
elseif (!is_file($auto_restrict['path_to_files'].'/.htaccess')){file_put_contents($auto_restrict['path_to_files'].'/.htaccess', 'deny from all');}
|
|
|
|
# ------------------------------------------------------------------
|
|
# checks auto_restrict's data file : include or create
|
|
# ------------------------------------------------------------------
|
|
if(file_exists($auto_restrict['path_to_files'].'/auto_restrict_data.php')){
|
|
include($auto_restrict['path_to_files'].'/auto_restrict_data.php');
|
|
}else{
|
|
$auto_restrict['system_salt']=generate_salt(512);
|
|
$ret="\n";
|
|
file_put_contents($auto_restrict['path_to_files'].'/auto_restrict_data.php', '<?php '.$ret.'$auto_restrict["system_salt"]='.var_export($auto_restrict['system_salt'],true).';'.$ret.'$auto_restrict["tokens_filename"] = "tokens_'.var_export(hash('sha512', $auto_restrict['system_salt'].uniqid('', true)),true).'.php";'.$ret.'$auto_restrict["banned_ip_filename"] = "banned_ip_'.var_export(hash('sha512', $auto_restrict['system_salt'].uniqid('', true)),true).'.php"; '.$ret.'?>');
|
|
}
|
|
|
|
# ------------------------------------------------------------------
|
|
# checks auto_restrict's users file : include or redirect to login page if no $_POST
|
|
# ------------------------------------------------------------------
|
|
if(file_exists($auto_restrict['path_to_files'].'/auto_restrict_users.php')){
|
|
# if file exists, include it
|
|
include($auto_restrict['path_to_files'].'/auto_restrict_users.php');
|
|
complete_if_needed();
|
|
|
|
|
|
}else if(!isset($_POST['pass'])){
|
|
# problem with files during a session
|
|
if (isset($_SESSION['login'])){
|
|
session_destroy();
|
|
}
|
|
# or redirect to login form
|
|
safe_redirect('index.php?p=login');
|
|
exit;
|
|
}
|
|
|
|
|
|
# ------------------------------------------------------------------
|
|
# Sets a global token to use it later
|
|
# ------------------------------------------------------------------
|
|
define('TOKEN',returnToken());
|
|
|
|
# ------------------------------------------------------------------
|
|
# New user request: add it, save and return to login page
|
|
# ------------------------------------------------------------------
|
|
if(!empty($_POST['pass'])&&!empty($_POST['confirm'])&&isset($_POST['creation'])&&!empty($_POST['login'])&&empty($_POST['admin_password'])){
|
|
if (!isset($auto_restrict['users'])){$auto_restrict['users']=array();}
|
|
$index=count($auto_restrict['users']);
|
|
$login=strip_tags($_POST['login']);
|
|
if (login_exists($login)){safe_redirect('index.php?p=login&newuser&error=1&token='.returnToken());}
|
|
if ($_POST['pass']!=$_POST['confirm']){safe_redirect('index.php?p=login&newuser&error=3&token='.returnToken());}
|
|
$auto_restrict['users'][$index]['login'] = $login;
|
|
$auto_restrict['users'][$index]['encryption_key'] = md5(uniqid('', true));
|
|
$auto_restrict['users'][$index]['salt'] = generate_salt(512);
|
|
$auto_restrict['users'][$index]['lang'] = $_SESSION['language'];
|
|
$auto_restrict['users'][$index]['status'] = '';
|
|
$auto_restrict['users'][$index]['pass'] = hash('sha512', $auto_restrict['users'][$index]['salt'].$_POST['pass']);
|
|
|
|
if (!save_users()){exit('<div class="error">auto_restrict: problem saving users</div>');}
|
|
safe_redirect('index.php?p=admin&msg='.e('Account created:',false).$login.'&token='.returnToken());
|
|
exit;
|
|
}
|
|
|
|
|
|
# ------------------------------------------------------------------
|
|
# Change password request
|
|
# ------------------------------------------------------------------
|
|
if(!empty($_POST['pass'])&&!empty($_POST['confirm'])&&!empty($_POST['admin_password'])){
|
|
|
|
if ($auto_restrict['users'][$_SESSION['login']]['pass']!==hash('sha512', $auto_restrict['users'][$_SESSION['login']]['salt'].$_POST['admin_password'])){
|
|
safe_redirect('index.php?p=login&change_password&error=4&token='.returnToken());
|
|
exit;
|
|
}
|
|
if ($_POST['pass']!=$_POST['confirm']){
|
|
safe_redirect('index.php?p=login&newuser&error=3&token='.returnToken());
|
|
exit;
|
|
}
|
|
$auto_restrict['users'][$_SESSION['login']]['pass']=hash('sha512', $auto_restrict['users'][$_SESSION['login']]['salt'].$_POST['pass']);
|
|
if (save_users()){safe_redirect('index.php?p=admin&msg='.e('New password saved for ',false).$_SESSION['login'].'&token='.returnToken());}
|
|
else{safe_redirect('index.php?p=admin&msg='.e('Error saving new password for ',false).$_SESSION['login'].'&token='.returnToken());}
|
|
}
|
|
# ------------------------------------------------------------------
|
|
# load banned ip
|
|
# ------------------------------------------------------------------
|
|
if (is_file($auto_restrict['path_to_files'].'/'.$auto_restrict["banned_ip_filename"])){include($auto_restrict['path_to_files'].'/'.$auto_restrict["banned_ip_filename"]);}
|
|
# ------------------------------------------------------------------
|
|
|
|
# ------------------------------------------------------------------
|
|
# user tries to login
|
|
# ------------------------------------------------------------------
|
|
if (isset($_POST['login'])&&isset($_POST['pass'])&&empty($_POST['confirm'])&&empty($_POST['creation'])){
|
|
$ok=log_user($_POST['login'],$_POST['pass']);
|
|
if (!$ok){safe_redirect('index.php?p=login&error=2');}
|
|
elseif (isset($_POST['cookie'])){
|
|
set_cookie();
|
|
}
|
|
# ------------------------------------------------------------------
|
|
# redirect if needed
|
|
# ------------------------------------------------------------------
|
|
if (!empty($auto_restrict['redirect_success'])){
|
|
if (strpos($auto_restrict['redirect_success'], '&token=')!==false){
|
|
safe_redirect($auto_restrict['redirect_success'].'&token='.returnToken());
|
|
}else{
|
|
safe_redirect($auto_restrict['redirect_success']);
|
|
}
|
|
}
|
|
}
|
|
|
|
# ------------------------------------------------------------------
|
|
# user wants to logout (?logout $_GET var)
|
|
# ------------------------------------------------------------------
|
|
if (isset($_GET['deconnexion'])||isset($_GET['logout'])){@session_destroy();delete_cookie();exit_redirect();}
|
|
# ------------------------------------------------------------------
|
|
|
|
|
|
# ------------------------------------------------------------------
|
|
# No admin connected -> login
|
|
# ------------------------------------------------------------------
|
|
if (empty($_SESSION['id_user'])||empty($_SESSION['login'])||empty($_SESSION['expire'])){
|
|
if (!empty($_GET['p'])&&$_GET['p']!='login'){safe_redirect('index.php?p=login');}
|
|
}
|
|
|
|
# ------------------------------------------------------------------
|
|
# if here, there's no login/logout process.
|
|
# Check referrer, ip
|
|
# session duration...
|
|
# on problem, out !
|
|
# ------------------------------------------------------------------
|
|
if (!is_ok()){
|
|
@session_destroy();
|
|
if (!$auto_restrict['just_die_if_not_logged']){
|
|
safe_redirect('index.php?p=login');
|
|
} else {
|
|
echo $auto_restrict['error_msg'];
|
|
}
|
|
exit();
|
|
}
|
|
# ------------------------------------------------------------------
|
|
|
|
|
|
|
|
# ------------------------------------------------------------------
|
|
# if here, there was no security problem.
|
|
# Now, if there is an admin password post data,
|
|
# it means that the submitted form is a secured one:
|
|
# check if password is correct (if not => ban ip and stop here)
|
|
# ------------------------------------------------------------------
|
|
|
|
if (isset($_POST['admin_password'])){
|
|
$pass=hash('sha512', $auto_restrict["salt"].$_POST['admin_password']);
|
|
if ($auto_restrict['pass']!=$pass){
|
|
add_banned_ip();
|
|
death('The admin password is wrong... too bad !');
|
|
}
|
|
|
|
}
|
|
|
|
# ------------------------------------------------------------------
|
|
# users list form requests
|
|
# ------------------------------------------------------------------
|
|
# Erase a user account
|
|
if (isset($_POST['user_key'])&&is_user_admin()){
|
|
foreach($_POST['user_key'] as $user_nb){
|
|
if (isset($auto_restrict['users'][$user_nb])){
|
|
unset($auto_restrict['users'][$user_nb]);
|
|
# ADDED FOR BOZON
|
|
rrmdir($_SESSION['upload_root_path'].$user_nb);
|
|
}
|
|
}
|
|
if (!empty($auto_restrict['users'])){
|
|
save_users();
|
|
# ADDED FOR BOZON
|
|
safe_redirect('index.php?p=users&token='.TOKEN.'&msg='.e('Changes saved',false));
|
|
exit;
|
|
}
|
|
else{
|
|
unlink($auto_restrict['path_to_files'].'/auto_restrict_users.php');
|
|
exit_redirect();
|
|
}
|
|
}
|
|
|
|
|
|
# ------------------------------------------------------------------
|
|
# change user status
|
|
# ------------------------------------------------------------------
|
|
if (isset($_POST['users_status'])&&is_user_admin()){
|
|
unset($_POST['users_status']);
|
|
unset($_POST['token']);
|
|
foreach($_POST as $user=>$status){
|
|
if (!empty($user)){$auto_restrict['users'][$user]['status']=$status;}
|
|
}
|
|
save_users();
|
|
# ADDED FOR BOZON
|
|
safe_redirect('index.php?p=users&token='.TOKEN.'&msg='.e('Changes saved',false));
|
|
}
|
|
|
|
# ------------------------------------------------------------------
|
|
# save user language if change BOZON CHANGE
|
|
# ------------------------------------------------------------------
|
|
if (empty($auto_restrict['users'][$_SESSION['login']]['lang'])||$_SESSION['language']!=$auto_restrict['users'][$_SESSION['login']]['lang']){
|
|
$auto_restrict['users'][$_SESSION['login']]['lang']=$_SESSION['language'];
|
|
save_users();
|
|
}
|
|
|
|
|
|
# ------------------------------------------------------------------
|
|
# crypt functions
|
|
# form http:#www.info-3000.com/phpmysql/cryptagedecryptage.php
|
|
# ------------------------------------------------------------------
|
|
function GenerationCle($Texte,$CleDEncryptage)
|
|
{
|
|
$CleDEncryptage = md5($CleDEncryptage);
|
|
$Compteur=0;
|
|
$VariableTemp = "";
|
|
for ($Ctr=0;$Ctr<strlen($Texte);$Ctr++)
|
|
{
|
|
if ($Compteur==strlen($CleDEncryptage))
|
|
$Compteur=0;
|
|
$VariableTemp.= substr($Texte,$Ctr,1) ^ substr($CleDEncryptage,$Compteur,1);
|
|
$Compteur++;
|
|
}
|
|
return $VariableTemp;
|
|
}
|
|
function chiffre($Texte,$Cle)
|
|
{
|
|
srand((double)microtime()*1000000);
|
|
$CleDEncryptage = md5(rand(0,32000) );
|
|
$Compteur=0;
|
|
$VariableTemp = "";
|
|
for ($Ctr=0;$Ctr<strlen($Texte);$Ctr++)
|
|
{
|
|
if ($Compteur==strlen($CleDEncryptage))
|
|
$Compteur=0;
|
|
$VariableTemp.= substr($CleDEncryptage,$Compteur,1).(substr($Texte,$Ctr,1) ^ substr($CleDEncryptage,$Compteur,1) );
|
|
$Compteur++;
|
|
}
|
|
return base64_encode(GenerationCle($VariableTemp,$Cle) );
|
|
}
|
|
function Dechiffre($Texte,$Cle)
|
|
{
|
|
$Texte = GenerationCle(base64_decode($Texte),$Cle);
|
|
$VariableTemp = "";
|
|
for ($Ctr=0;$Ctr<strlen($Texte);$Ctr++)
|
|
{
|
|
$md5 = substr($Texte,$Ctr,1);
|
|
$Ctr++;
|
|
$VariableTemp.= (substr($Texte,$Ctr,1) ^ $md5);
|
|
}
|
|
return $VariableTemp;
|
|
}
|
|
|
|
|
|
# ------------------------------------------------------------------
|
|
|
|
function save_users(){
|
|
global $auto_restrict;
|
|
$ret="\n";$data='<?php'.$ret;
|
|
if (!isset($auto_restrict['users'])){return false;}
|
|
foreach ($auto_restrict['users'] as $key=>$user){
|
|
$data.= $ret.'# user : '.$user['login'].$ret
|
|
.'$auto_restrict["users"]["'.$user['login'].'"]["login"]='.var_export($user['login'],true).';'.$ret
|
|
.'$auto_restrict["users"]["'.$user['login'].'"]["encryption_key"]='.var_export($user['encryption_key'],true).';'.$ret
|
|
.'$auto_restrict["users"]["'.$user['login'].'"]["salt"] = '.var_export($user['salt'],true).';'.$ret
|
|
.'$auto_restrict["users"]["'.$user['login'].'"]["pass"] = '.var_export($user['pass'],true).';'.$ret
|
|
.'$auto_restrict["users"]["'.$user['login'].'"]["status"]='.var_export($user['status'],true).';'.$ret
|
|
.'$auto_restrict["users"]["'.$user['login'].'"]["lang"]='.var_export($user['lang'],true).';'.$ret;
|
|
}
|
|
|
|
$data.=$ret.'?>';
|
|
$r=file_put_contents($auto_restrict['path_to_files'].'/auto_restrict_users.php', $data);
|
|
sleep(0.5);
|
|
return $r;
|
|
}
|
|
|
|
function complete_if_needed(){
|
|
global $auto_restrict,$default_language;$save=false;
|
|
if (!$auto_restrict){return false;}
|
|
$indexes_to_check=array( # 'var' => 'default value',
|
|
'lang'=>$default_language,
|
|
);
|
|
$first=first($auto_restrict['users']);
|
|
foreach ($auto_restrict['users'] as $user=>$data){
|
|
foreach ($indexes_to_check as $index=>$default_value){
|
|
if (empty($data[$index])){
|
|
$auto_restrict['users'][$user][$index]=$default_value;$save=true;
|
|
}
|
|
if (empty($data['status'])){
|
|
$auto_restrict['users'][$user]['status']=create_status($user,$first);$save=true;
|
|
}elseif($data['status']!='superadmin'&&$data['login']==$first['login']){
|
|
$auto_restrict['users'][$user]['status']='superadmin';$save=true;# force first status to superadmin
|
|
}
|
|
}
|
|
}
|
|
|
|
if ($save){save_users();return true;}
|
|
return false;
|
|
}
|
|
function create_status($user=null,$first=''){
|
|
global $auto_restrict;
|
|
if (!$user){return false;}
|
|
if (count($auto_restrict['users'])==1){ return 'superadmin';}
|
|
elseif ($user==$first['login']){ return 'superadmin';}
|
|
else{return 'user';}
|
|
}
|
|
|
|
function login_exists($login=null){
|
|
global $auto_restrict;
|
|
if (empty($login)){return false;}
|
|
foreach ($auto_restrict['users'] as $key=>$user){
|
|
if ($user['login']==$login){return true;}
|
|
}
|
|
return false;
|
|
}
|
|
|
|
function id_user(){
|
|
$id=$_SERVER['REMOTE_ADDR'];
|
|
$id.='-'.$_SERVER['HTTP_USER_AGENT'];
|
|
$id.='-'.session_id();
|
|
return $id;
|
|
}
|
|
|
|
|
|
|
|
function is_ok(){
|
|
# check tokens, session vars, ip, referrer, cookie etc
|
|
# in case of problem, destroy session and redirect
|
|
global $auto_restrict;
|
|
$expired=false;
|
|
if (!isset($_SESSION['id_user'])){return false;}
|
|
# fatal problem
|
|
if (!checkReferer()){return death('<div class="error">You are definitely NOT from here !</div>');}
|
|
if (!checkIP()){return death('<div class="error">Hey... you were banished, fuck off !</div>');}
|
|
if (!checkToken()){return death('<div class="error">Invalid token</div>');}
|
|
|
|
#
|
|
if (checkCookie()){return true;}
|
|
|
|
if ($_SESSION['expire']<time()){$expired=true;}
|
|
|
|
$sid=Dechiffre($_SESSION['id_user'],$auto_restrict['users'][$_SESSION['login']]['encryption_key']);
|
|
$id=id_user();
|
|
if ($sid!=$id || $expired==true){# problème d'identité
|
|
return false;
|
|
}else{ # all fine
|
|
#session can survive a bit more ^^
|
|
$_SESSION['expire']=time()+(60*$auto_restrict['session_expiration_delay']);
|
|
return true;
|
|
}
|
|
}
|
|
|
|
function death($msg="Don't try to be so clever !"){global $auto_restrict;if ($auto_restrict['just_die_on_errors']){die('<p class="error">'.$msg.'</p>');}else{return false;}}
|
|
function is_user_admin(){
|
|
global $auto_restrict;
|
|
if ($auto_restrict['add_remove_user_admin_only']==false){return true;}
|
|
if (!empty($_SESSION['status'])){
|
|
if ($_SESSION['status']=='admin'||$_SESSION['status']=='superadmin'){return true;}
|
|
}else{
|
|
$first=first($auto_restrict['users']);
|
|
if (!empty($_SESSION['login'])&&$_SESSION['login']==$first['login']){return true;}
|
|
if (!empty($_SESSION['login'])&&isset($auto_restrict['users'][$_SESSION['login']]['status'])&&$auto_restrict['users'][$_SESSION['login']]['status']=='admin'){return true;}
|
|
}
|
|
return false;
|
|
}
|
|
function log_user($login_donne,$pass_donne){
|
|
# create session vars
|
|
$save=false;
|
|
global $auto_restrict,$default_language;
|
|
if (empty($default_language)){$default_language='en';}
|
|
session_destroy();session_start();
|
|
foreach ($auto_restrict['users'] as $key=>$user){
|
|
if ($user['login']===$login_donne && $user['pass']===hash('sha512', $user["salt"].$pass_donne)){
|
|
$_SESSION['id_user']=chiffre(id_user(),$user['encryption_key']);
|
|
$_SESSION['login']=$user['login'];
|
|
$_SESSION['expire']=time()+(60*$auto_restrict['session_expiration_delay']);
|
|
$admin=first($auto_restrict['users']);
|
|
$_SESSION['status']=$user['status'];
|
|
$_SESSION['language']=$user['lang'];
|
|
if ($save){save_users();}
|
|
return true;
|
|
}
|
|
}
|
|
if ($login_donne!='dis'&&$pass_donne!='connect'){
|
|
add_banned_ip();
|
|
}else{exit_redirect();}
|
|
return false;
|
|
}
|
|
|
|
function exit_redirect(){
|
|
global $auto_restrict;
|
|
@session_unset();
|
|
@session_destroy();
|
|
delete_cookie();
|
|
if ($auto_restrict['redirect_error']&&$auto_restrict['redirect_error']!=''){
|
|
safe_redirect($auto_restrict['redirect_error']);
|
|
}else{exit($auto_restrict['error_msg']);}
|
|
}
|
|
function generate_salt($length=256){
|
|
$salt='';
|
|
for($i=1;$i<=$length;$i++){
|
|
$salt.=chr(mt_rand(35,126));
|
|
}
|
|
return $salt;
|
|
}
|
|
|
|
function set_cookie(){
|
|
# create cookie and token file
|
|
global $auto_restrict;
|
|
$token_cookie=hash('sha512',$auto_restrict['system_salt'].md5(preg_replace('#[^a-zA-Z]#','',uniqid(true))));
|
|
$time=time()+$auto_restrict['cookie_expiration_delay']*1440;
|
|
setcookie($auto_restrict['cookie_name'],$token_cookie,$time);
|
|
file_put_contents($auto_restrict['path_to_files'].'/'.$token_cookie,$time,0666);
|
|
chmod($auto_restrict['path_to_files'].'/'.$token_cookie,0666);
|
|
}
|
|
function delete_cookie(){
|
|
# delete cookie and token cookie file
|
|
global $auto_restrict;
|
|
@$token_cookie_file=$_COOKIE[$auto_restrict['cookie_name']];
|
|
setcookie($auto_restrict['cookie_name'],'',time()+1);
|
|
@unlink($auto_restrict['path_to_files'].'/'.$token_cookie_file);
|
|
}
|
|
function checkCookie(){
|
|
# test cookie token file security access
|
|
global $auto_restrict;
|
|
|
|
if (!isset($_COOKIE[$auto_restrict['cookie_name']])){return false;} # no cookie ?
|
|
$cookie_token_file=$auto_restrict['path_to_files'].'/'.$_COOKIE[$auto_restrict['cookie_name']];
|
|
if (!is_file($cookie_token_file)){return false;} # no cookie token file ?
|
|
if (file_get_contents($cookie_token_file)<time()){return false;} # cookie/token too old ?
|
|
|
|
return true;
|
|
}
|
|
# ------------------------------------------------------------------
|
|
# REFERER
|
|
# ------------------------------------------------------------------
|
|
function returndomain($url){$domaine=parse_url($url);return $domaine['host'];}
|
|
|
|
function checkReferer(){
|
|
global $auto_restrict;
|
|
if ($auto_restrict['domain']!=$auto_restrict['referer']&&!empty($auto_restrict['referer'])){
|
|
# log IP to ban it
|
|
if (isset($_SERVER['REMOTE_ADDR'])){add_banned_ip();}
|
|
return false;
|
|
}else{return true;}
|
|
}
|
|
|
|
|
|
# ------------------------------------------------------------------
|
|
# TOKENS
|
|
# ------------------------------------------------------------------
|
|
# return true if token situation is ok
|
|
function checkToken(){
|
|
global $auto_restrict;
|
|
if(empty($_POST)&&empty($_GET)||empty($_POST)&&!$auto_restrict['use_GET_tokens_too']){return true;}# no post or get data, no need of a token
|
|
|
|
if (# from login form, no need of a token
|
|
count($_POST)==2&&isset($_POST['login'])&&isset($_POST['pass'])
|
|
||
|
|
count($_POST)==3&&isset($_POST['login'])&&isset($_POST['pass'])&&isset($_POST['cookie'])
|
|
){return true;}
|
|
|
|
|
|
|
|
# secure $_POST with token
|
|
if (!empty($_POST)){
|
|
if (!isset($_POST['token'])){# no token given ? get out !
|
|
if ($auto_restrict['use_ban_IP_on_token_errors']){add_banned_ip();}
|
|
return false;
|
|
}
|
|
$token=$_POST['token'];
|
|
if (!isset($_SESSION[$token])){# Problem with session token ? get out !
|
|
if ($auto_restrict['use_ban_IP_on_token_errors']){add_banned_ip();}
|
|
return false;
|
|
}
|
|
}
|
|
|
|
# secure $_GET with token
|
|
if (!empty($_GET)&&$auto_restrict['use_GET_tokens_too']){
|
|
if (!isset($_GET['token'])){# no token given ? get out !
|
|
if ($auto_restrict['use_ban_IP_on_token_errors']){add_banned_ip();}
|
|
return false;
|
|
}
|
|
$token=$_GET['token'];
|
|
if (!isset($_SESSION[$token])){ # Problem with session token ? get out !
|
|
if ($auto_restrict['use_ban_IP_on_token_errors']){add_banned_ip();}
|
|
return false;
|
|
}
|
|
|
|
}
|
|
|
|
|
|
# SESSION token too old ? out ! (but no ip_ban)
|
|
if ($_SESSION[$token]<@date('U')){ return false;}
|
|
# when all is fine, return true after erasing the token (one use only)
|
|
if ($auto_restrict['kill_tokens_after_use']){unset($_SESSION[$token]);}
|
|
return true;
|
|
}
|
|
|
|
# create a token, echo a hidden input, sets the session token
|
|
# if $token_only==true, echo only the token.
|
|
function newToken($token_only=false){
|
|
global $auto_restrict;
|
|
$token=hash('sha512',uniqid('',true));
|
|
$_SESSION[$token]=@date('U')+$auto_restrict['tokens_expiration_delay'];
|
|
if (!$token_only){echo '<input type="hidden" value="'.$token.'" name="token"/>';}
|
|
else {echo $token;}
|
|
}
|
|
# create a token, and return it
|
|
function returnToken(){
|
|
global $auto_restrict;
|
|
$token=hash('sha512',uniqid('',true));
|
|
$_SESSION[$token]=@date('U')+$auto_restrict['tokens_expiration_delay'];
|
|
return $token;
|
|
}
|
|
|
|
|
|
# ------------------------------------------------------------------
|
|
# ADMIN ONLY PROTECTION
|
|
# ------------------------------------------------------------------
|
|
# echo a password input form to secure sensitive sections
|
|
# you can specify a label text and/or a placeholder text
|
|
function adminPassword($label='',$placeholder=''){
|
|
if (!empty($label)){$label='<label for="admin_password" class="admin_password_label">'.$label.'</label>';}
|
|
if (!empty($placeholder)){$placeholder=' placeholder="'.$placeholder.'" ';}
|
|
echo $label.'<input id="admin_password" type="password" class="admin_password" name="admin_password" '.$placeholder.'/>';
|
|
}
|
|
|
|
|
|
# ------------------------------------------------------------------
|
|
# IP
|
|
# ------------------------------------------------------------------
|
|
# increment the IP counter in the banned IP file
|
|
function add_banned_ip($ip=null){
|
|
if(empty($ip)){$ip=$_SERVER['REMOTE_ADDR'];}
|
|
global $auto_restrict;
|
|
|
|
if (isset($auto_restrict["banned_ip"][$ip])){
|
|
$auto_restrict["banned_ip"][$ip]['nb']++;
|
|
}else{
|
|
$auto_restrict["banned_ip"][$ip]['nb']=1;
|
|
}
|
|
|
|
$auto_restrict["banned_ip"][$ip]['date']=@date('U')+$auto_restrict['IP_banned_expiration_delay'];
|
|
file_put_contents($auto_restrict['path_to_files'].'/'.$auto_restrict["banned_ip_filename"],'<?php /*Banned IP*/ $auto_restrict["banned_ip"]='.var_export($auto_restrict["banned_ip"],true).' ?>');
|
|
}
|
|
|
|
function remove_banned_ip($ip=null){
|
|
if(empty($ip)){$ip=$_SERVER['REMOTE_ADDR'];}
|
|
global $auto_restrict;
|
|
if (isset($auto_restrict["banned_ip"][$ip])){
|
|
unset($auto_restrict["banned_ip"][$ip]);
|
|
}
|
|
file_put_contents($auto_restrict['path_to_files'].'/'.$auto_restrict["banned_ip_filename"],'<?php /*Banned IP*/ $auto_restrict["banned_ip"]='.var_export($auto_restrict["banned_ip"],true).' ?>');
|
|
}
|
|
|
|
# check if user IP is banned or not
|
|
function checkIP($ip=null){
|
|
if(empty($ip)){$ip=$_SERVER['REMOTE_ADDR'];}
|
|
global $auto_restrict;
|
|
|
|
if (isset($auto_restrict["banned_ip"][$ip])){
|
|
if ($auto_restrict["banned_ip"][$ip]['nb']<$auto_restrict['max_security_issues_before_ban']){return true;} # below max login fails
|
|
else if ($auto_restrict["banned_ip"][$ip]['date']>=@date('U')){return false;} # active banishment
|
|
else if ($auto_restrict["banned_ip"][$ip]['date']<@date('U')){remove_banned_ip($ip);return true;} # old banishment
|
|
return false;
|
|
}else{return true;}# ip is ok
|
|
}
|
|
|
|
# ------------------------------------------------------------------
|
|
# Misc
|
|
# ------------------------------------------------------------------
|
|
# creates a form with the users list to erase
|
|
function generate_users_formlist($text='Check users to delete account and files'){
|
|
global $auto_restrict;
|
|
echo '<h1>'.$text.'</h1><form action="" method="POST" class="auto_restrict_users_list"><table>';
|
|
foreach ($auto_restrict['users'] as $key=>$user){
|
|
if ($user['status']=='superadmin'){continue;}
|
|
$class=' class="'.$user['status'].'" title="'.e($user['status'],false).'"';
|
|
//if ($user['status']=='admin'){$class=' class="admin" title="admin"';}else{$class='';}
|
|
echo '<tr>';
|
|
echo '<td><label '.$class.'><input type="checkbox" name="user_key[]" value="'.$key.'"/> '.$user['login'].'</label>';
|
|
newToken();
|
|
|
|
echo '</td></tr>';
|
|
}
|
|
echo '</table><input type="submit" value="Ok" class="btn red"/></form>';
|
|
}
|
|
# creates a form with the users list to change status
|
|
function generate_users_status_formlist($text='Select new status for the users',$user_text='user',$admin_text='admin'){
|
|
global $auto_restrict,$PROFILES;
|
|
echo '<h1>'.$text.'</h1><form action="" method="POST" class="auto_restrict_users_status"><input type="hidden" name="users_status" value="1"/><table>';
|
|
foreach ($auto_restrict['users'] as $key=>$user){
|
|
$class=' class="'.$user['status'].'" title="'.e($user['status'],false).'"';
|
|
if (empty($user['status'])||$user['status']!='superadmin'){
|
|
|
|
echo '<tr>';
|
|
echo '<td><label '.$class.'>'.$user['login'].'</label></td>';
|
|
echo '<td><select name="'.$user['login'].'" class="npt">';
|
|
foreach($PROFILES as $profile){
|
|
$selected='';$class='';
|
|
if ($user['status']==$profile){$class='selected="true"';}
|
|
echo '<option value="'.$profile.'" '.$class.'>'.e($profile,false).'</option>';
|
|
}
|
|
echo '</select></td>';
|
|
newToken();
|
|
|
|
echo '</tr>';
|
|
}
|
|
}
|
|
echo '</table><input type="submit" value="Ok" class="btn red"/></form>';
|
|
}
|
|
|
|
function safe_redirect($url=none){
|
|
if (!$url){return false;}
|
|
if (!headers_sent()){header('location: '.$url);}
|
|
else{echo '<script>document.location.href="'.$url.'";</script>';}
|
|
exit;
|
|
}
|
|
|
|
# creates the secured link to the users list form
|
|
function generate_users_list_link($text='See users list'){
|
|
global $auto_restrict;
|
|
echo '<a class="auto_restrict_userslist_link" href="'.$_SERVER["SCRIPT_NAME"].'?p=users&token='.returnToken().'" alt="link to users list" title="'.$text.'"><span class="icon-users" ></span></a>';
|
|
}
|
|
# creates the secured link to new user form
|
|
function generate_new_users_link($text='Add a user'){
|
|
echo '<a class="auto_restrict_new_user_link" href="index.php?p=login&newuser&token='.returnToken().'" alt="link to a new user" title="'.$text.'"><span class="icon-user-add" ></span></a>';
|
|
}
|
|
# creates the secured link to new password form
|
|
function generate_new_password_link($text='Change password'){
|
|
echo '<a class="auto_restrict_new_password_link" href="index.php?p=login&change_password&token='.returnToken().'" alt="link to a new password" title="'.$text.'"><span class="icon-newpass" ></span></a>';
|
|
}
|
|
function first($array){
|
|
if (empty($array)){return false;}
|
|
$akeys=array_keys($array);
|
|
$key=array_shift($akeys);
|
|
return $array[$key];
|
|
}
|
|
?>
|