Changes in [372:cb84f40f1f4b:371:38d68ab49087]

Files:

• .hgtags (modified) (1 diff)
• CHANGELOG (modified) (2 diffs)
• admin/auth.php (modified) (6 diffs)
• admin/install/wizard.php (modified) (1 diff)
• inc/config.php.in (modified) (1 diff)

.hgtags

@@ -1 +1 @@
 ec077f3c6b20bc6f7f40a113acaff0220457a2c4 2.3.0
-4e0137ddb12474d62b88c4966d5895a391b6d382 2.3.1

CHANGELOG

@@ -3 +3 @@
 * handling of postgres non default schemas (db_prefix = 'schema.prefix')
 
-Dotclear 2.3.1 - 2001-06-14
+Dotclear 2.3.1 - ongoing dev
 ===========================================================
 * Updated makefile for cleaner distrib.
@@ -9 +9 @@
 * Misc JS & CSS cleaning.
 * Import/Export preferences-related bugfix.
-* Administrative mail address is now configurable.
-* Security: one minor fix and changes for two potential problems. Thanks to Jeremie Boutoille
 
 Dotclear 2.3.0 - 2011-05-16

admin/auth.php

@@ -23 +23 @@
 $dlang = http::getAcceptLanguage();
 $dlang = ($dlang == '' ? 'en' : $dlang);
-if ($dlang != 'en' && preg_match('/^[a-z]{2}(-[a-z]{2})?$/',$dlang))
+if ($dlang != 'en')
 {
      l10n::set(dirname(__FILE__).'/../locales/'.$dlang.'/main');
@@ -90 +90 @@
           $page_url.'?akey='.$recover_key;
           
-          $headers[] = 'From: '.(defined('DC_ADMIN_MAILFROM') && DC_ADMIN_MAILFROM ? DC_ADMIN_MAILFROM : 'dotclear@local');
+          $headers[] = 'From: dotclear@'.$_SERVER['HTTP_HOST'];
           $headers[] = 'Content-Type: text/plain; charset=UTF-8;';
           
@@ -126 +126 @@
 }
 # Change password and retry to log
-elseif ($change_pwd)
-{
-     try
-     {
-          $tmp_data = explode('/',$_POST['login_data']);
-          if (count($tmp_data) != 3) {
-               throw new Exception();
-          }
-          $data = array(
-               'user_id'=>base64_decode($tmp_data[0]),
-               'cookie_admin'=>$tmp_data[1],
-               'user_remember'=>$tmp_data[2]=='1'
-          );
-          if ($data['user_id'] === false) {
-               throw new Exception();
-          }
-          
+elseif ($change_pwd and $data = unserialize(base64_decode($_POST['login_data'])))
+{
      # Check login informations
      $check_user = false;
@@ -157 +142 @@
      }
      
+     try
+     {
           if (!$core->auth->allowPassChange() || !$check_user) {
                $change_pwd = false;
@@ -179 +166 @@
           $_SESSION['sess_browser_uid'] = http::browserUID(DC_MASTER_KEY);
           
-          if ($data['user_remember'])
+          if (!empty($data['blog_id'])) {
+               $_SESSION['sess_blog_id'] = $data['blog_id'];
+          }
+          
+          if (!empty($data['user_remember']))
           {
                setcookie('dc_admin',$data['cookie_admin'],strtotime('+15 days'),'','',DC_ADMIN_SSL);
@@ -202 +193 @@
      if ($check_user && $core->auth->mustChangePassword())
      {
-          $login_data = join('/',array(
-               base64_encode($user_id),
-               $cookie_admin,
-               empty($_POST['user_remember'])?'0':'1'
-          ));
+          $login_data = base64_encode(serialize(array(
+               'user_id'=>$user_id,
+               'cookie_admin'=>$cookie_admin,
+               'blog_id'=>(!empty($_POST['blog']) ? $_POST['blog'] : ''),
+               'user_remember'=>!empty($_POST['user_remember'])
+          )));
           
           if (!$core->auth->allowPassChange()) {

admin/install/wizard.php

@@ -100 +100 @@
           $admin_url = preg_replace('%install/wizard.php$%','',$_SERVER['REQUEST_URI']);
           writeConfigValue('DC_ADMIN_URL',http::getHost().$admin_url,$full_conf);
-          writeConfigValue('DC_ADMIN_MAILFROM','dotclear@'.$_SERVER['HTTP_HOST'],$full_conf);
           writeConfigValue('DC_MASTER_KEY',md5(uniqid()),$full_conf);
           

inc/config.php.in

@@ -40 +40 @@
 define('DC_ADMIN_URL','');
 
-// Admin mail from address. For password recovery and such.
-define('DC_ADMIN_MAILFROM','');
-
 // Cookie's name
 define('DC_SESSION_NAME','dcxd');