Changeset 372:cb84f40f1f4b

Timestamp:

06/15/11 09:06:08 (14 years ago)

Author:

Dsls <dsls@…>

Branch:

default

Parents:

371:38d68ab49087 (diff), 370:527cc81ceccf (diff)
Note: this is a merge changeset, the changes displayed below correspond to the merge itself.
Use the (diff) links above to see all the changes relative to each parent.

Message:

Merge with latests bugfixes from 2.3.1

Files:

• CHANGELOG (modified) (1 diff)
• CHANGELOG (modified) (2 diffs)
• admin/auth.php (modified) (1 diff)
• admin/auth.php (modified) (6 diffs)
• inc/prepend.php (modified) (1 diff)

CHANGELOG

@@ +1 @@
+Dotclear 2.4.0 - ongoing dev
+===========================================================
+* handling of postgres non default schemas (db_prefix = 'schema.prefix')
+
 Dotclear 2.3.1 - 2001-06-14
 ===========================================================

CHANGELOG

@@ -3 +3 @@
 * handling of postgres non default schemas (db_prefix = 'schema.prefix')
 
-Dotclear 2.3.1 - ongoing dev
+Dotclear 2.3.1 - 2001-06-14
 ===========================================================
 * Updated makefile for cleaner distrib.
@@ -9 +9 @@
 * Misc JS & CSS cleaning.
 * Import/Export preferences-related bugfix.
+* Administrative mail address is now configurable.
+* Security: one minor fix and changes for two potential problems. Thanks to Jeremie Boutoille
 
 Dotclear 2.3.0 - 2011-05-16

admin/auth.php

@@ -143 +143 @@
           }
           
-          # Check login informations
-          $check_user = false;
-          if (isset($data['cookie_admin']) && strlen($data['cookie_admin']) == 104)
+     # Check login informations
+     $check_user = false;
+     if (isset($data['cookie_admin']) && strlen($data['cookie_admin']) == 104)
+     {
+          $user_id = substr($data['cookie_admin'],40);
+          $user_id = @unpack('a32',@pack('H*',$user_id));
+          if (is_array($user_id))
           {
-               $user_id = substr($data['cookie_admin'],40);
-               $user_id = @unpack('a32',@pack('H*',$user_id));
-               if (is_array($user_id))
-               {
-                    $user_id = $user_id[1];
-                    $user_key = substr($data['cookie_admin'],0,40);
-                    $check_user = $core->auth->checkUser($user_id,null,$user_key) === true;
-               }
-          }
+               $user_id = $user_id[1];
+               $user_key = substr($data['cookie_admin'],0,40);
+               $check_user = $core->auth->checkUser($user_id,null,$user_key) === true;
+          }
+     }
      
           if (!$core->auth->allowPassChange() || !$check_user) {

admin/auth.php

@@ -23 +23 @@
 $dlang = http::getAcceptLanguage();
 $dlang = ($dlang == '' ? 'en' : $dlang);
-if ($dlang != 'en')
+if ($dlang != 'en' && preg_match('/^[a-z]{2}(-[a-z]{2})?$/',$dlang))
 {
      l10n::set(dirname(__FILE__).'/../locales/'.$dlang.'/main');
@@ -90 +90 @@
           $page_url.'?akey='.$recover_key;
           
-          $headers[] = 'From: dotclear@'.$_SERVER['HTTP_HOST'];
+          $headers[] = 'From: '.(defined('DC_ADMIN_MAILFROM') && DC_ADMIN_MAILFROM ? DC_ADMIN_MAILFROM : 'dotclear@local');
           $headers[] = 'Content-Type: text/plain; charset=UTF-8;';
           
@@ -126 +126 @@
 }
 # Change password and retry to log
-elseif ($change_pwd and $data = unserialize(base64_decode($_POST['login_data'])))
-{
+elseif ($change_pwd)
+{
+     try
+     {
+          $tmp_data = explode('/',$_POST['login_data']);
+          if (count($tmp_data) != 3) {
+               throw new Exception();
+          }
+          $data = array(
+               'user_id'=>base64_decode($tmp_data[0]),
+               'cookie_admin'=>$tmp_data[1],
+               'user_remember'=>$tmp_data[2]=='1'
+          );
+          if ($data['user_id'] === false) {
+               throw new Exception();
+          }
+          
      # Check login informations
      $check_user = false;
@@ -142 +157 @@
      }
      
-     try
-     {
           if (!$core->auth->allowPassChange() || !$check_user) {
                $change_pwd = false;
@@ -166 +179 @@
           $_SESSION['sess_browser_uid'] = http::browserUID(DC_MASTER_KEY);
           
-          if (!empty($data['blog_id'])) {
-               $_SESSION['sess_blog_id'] = $data['blog_id'];
-          }
-          
-          if (!empty($data['user_remember']))
+          if ($data['user_remember'])
           {
                setcookie('dc_admin',$data['cookie_admin'],strtotime('+15 days'),'','',DC_ADMIN_SSL);
@@ -193 +202 @@
      if ($check_user && $core->auth->mustChangePassword())
      {
-          $login_data = base64_encode(serialize(array(
-               'user_id'=>$user_id,
-               'cookie_admin'=>$cookie_admin,
-               'blog_id'=>(!empty($_POST['blog']) ? $_POST['blog'] : ''),
-               'user_remember'=>!empty($_POST['user_remember'])
-          )));
+          $login_data = join('/',array(
+               base64_encode($user_id),
+               $cookie_admin,
+               empty($_POST['user_remember'])?'0':'1'
+          ));
           
           if (!$core->auth->allowPassChange()) {

inc/prepend.php

@@ -118 +118 @@
 # Constants
 define('DC_ROOT',path::real(dirname(__FILE__).'/..'));
-define('DC_VERSION','2.3.2-dev');
+define('DC_VERSION','2.4.0-dev');
 define('DC_DIGESTS',dirname(__FILE__).'/digests');
 define('DC_L10N_ROOT',dirname(__FILE__).'/../locales');