added some security improvements

This commit is contained in:
JT Smith 2004-04-19 18:39:16 +00:00
parent ffd532dcf1
commit e324246158
6 changed files with 41 additions and 29 deletions

View file

@ -406,33 +406,30 @@ sub displayAccount {
=cut
sub displayLogin {
my $self = shift;
my $self = shift;
my $method = $_[0] || "login";
my $vars = $_[1];
my $template = $_[2] || 'Auth/'.$self->authMethod.'/Login';
unless ($session{env}{REQUEST_URI} =~ "displayLogin" || $session{env}{REQUEST_URI} =~ "displayAccount" ||
$session{env}{REQUEST_URI} =~ "logout" || $session{env}{REQUEST_URI} =~ "deactivateAccount"){
WebGUI::Session::setScratch("redirectAfterLogin",$session{env}{REQUEST_URI});
$session{env}{REQUEST_URI} =~ "logout" || $session{env}{REQUEST_URI} =~ "deactivateAccount"){
WebGUI::Session::setScratch("redirectAfterLogin",$session{env}{REQUEST_URI});
}
$vars->{title} = WebGUI::International::get(66);
$vars->{'login.form.header'} = WebGUI::Form::formHeader({});
$vars->{'login.form.header'} = WebGUI::Form::formHeader();
if ($session{setting}{encryptLogin}) {
$vars->{'login.form.header'} =~ s/http:/https:/;
}
$vars->{'login.form.hidden'} = WebGUI::Form::hidden({"name"=>"op","value"=>"auth"});
$vars->{'login.form.header'} =~ s/http:/https:/;
}
$vars->{'login.form.hidden'} = WebGUI::Form::hidden({"name"=>"op","value"=>"auth"});
$vars->{'login.form.hidden'} .= WebGUI::Form::hidden({"name"=>"method","value"=>$method});
$vars->{'login.form.username'} = WebGUI::Form::text({"name"=>"username"});
$vars->{'login.form.username.label'} = WebGUI::International::get(50);
$vars->{'login.form.password'} = WebGUI::Form::password({"name"=>"identifier"});
$vars->{'login.form.password.label'} = WebGUI::International::get(51);
$vars->{'login.form.username.label'} = WebGUI::International::get(50);
$vars->{'login.form.password'} = WebGUI::Form::password({"name"=>"identifier"});
$vars->{'login.form.password.label'} = WebGUI::International::get(51);
$vars->{'login.form.submit'} = WebGUI::Form::submit({"value"=>WebGUI::International::get(52)});
$vars->{'login.form.footer'} = "</form>";
$vars->{'anonymousRegistration.isAllowed'} = ($session{setting}{anonymousRegistration});
$vars->{'createAccount.url'} = WebGUI::URL::page('op=createAccount');
$vars->{'createAccount.label'} = WebGUI::International::get(67);
$vars->{'createAccount.url'} = WebGUI::URL::page('op=createAccount');
$vars->{'createAccount.label'} = WebGUI::International::get(67);
return WebGUI::Template::process(WebGUI::Template::get(1,$template), $vars);
}
@ -745,7 +742,7 @@ sub username {
sub validUsername {
my $self = shift;
my $username = $_[0];
my $username = WebGUI::Macro::negate($_[0]);
my $error = "";
if($self->_isDuplicateUsername($username)){

View file

@ -15,6 +15,7 @@ use strict;
use WebGUI::Auth;
use WebGUI::DateTime;
use WebGUI::HTMLForm;
use WebGUI::Macro;
use WebGUI::Mail;
use WebGUI::Session;
use WebGUI::SQL;
@ -33,8 +34,8 @@ our @ISA = qw(WebGUI::Auth);
sub _isValidPassword {
my $self = shift;
my $password = shift;
my $confirm = shift;
my $password = WebGUI::Macro::negate(shift);
my $confirm = WebGUI::Macro::negate(shift);
my $error = "";
if ($password ne $confirm) {
@ -244,16 +245,14 @@ sub displayAccount {
=cut
sub displayLogin {
my $self = shift;
my $vars;
return $self->displayAccount($_[0]) if ($self->userId != 1);
$vars->{'login.message'} = $_[0] if ($_[0]);
$vars->{'recoverPassword.isAllowed'} = $self->getSetting("passwordRecovery");
$vars->{'recoverPassword.url'} = WebGUI::URL::page('op=recoverPassword');
$vars->{'recoverPassword.label'} = WebGUI::International::get(59);
return $self->SUPER::displayLogin("login",$vars);
my $self = shift;
my $vars;
return $self->displayAccount($_[0]) if ($self->userId != 1);
$vars->{'login.message'} = $_[0] if ($_[0]);
$vars->{'recoverPassword.isAllowed'} = $self->getSetting("passwordRecovery");
$vars->{'recoverPassword.url'} = WebGUI::URL::page('op=recoverPassword');
$vars->{'recoverPassword.label'} = WebGUI::International::get(59);
return $self->SUPER::displayLogin("login",$vars);
}
#-------------------------------------------------------------------

View file

@ -115,7 +115,7 @@ sub validateProfileData {
$a = WebGUI::SQL->read("select * from userProfileField,userProfileCategory where userProfileField.profileCategoryId=userProfileCategory.profileCategoryId
and userProfileCategory.editable=1 and userProfileField.editable=1 order by userProfileCategory.sequenceNumber,userProfileField.sequenceNumber");
while (%field = $a->hash) {
$data{$field{fieldName}} = WebGUI::FormProcessor::process($field{fieldName},$field{dataType});
$data{$field{fieldName}} = WebGUI::Macro::negate(WebGUI::FormProcessor::process($field{fieldName},$field{dataType}));
if ($field{required} && $data{$field{fieldName}} eq "") {
$error .= '<li>'.(eval $field{fieldLabel}).' '.WebGUI::International::get(451);
}elsif($field{fieldName} eq "email" && isDuplicateEmail($data{$field{fieldName}})){

View file

@ -109,6 +109,9 @@ sub _setupSessionVars {
tie %vars, 'Tie::CPHash';
if ($_[0] ne "") {
%vars = WebGUI::SQL->quickHash("select * from userSession where sessionId='$_[0]'");
if ($vars{expires} < _time()) {
WebGUI::Session::end($_[0]);
}
if ($vars{sessionId} ne "") {
$session{scratch} = WebGUI::SQL->buildHashRef("select name,value from userSessionScratch
where sessionId=".quote($_[0]));