--- a/includes/sessions.php Mon Sep 17 11:52:58 2007 -0400
+++ b/includes/sessions.php Tue Sep 18 00:30:43 2007 -0400
@@ -150,7 +150,8 @@
* @var string
*/
- var $valid_username = '([A-Za-z0-9 \!\@\(\)-]+)';
+ //var $valid_username = '([A-Za-z0-9 \!\@\(\)-]+)';
+ var $valid_username = '([^<>_&\?\'"%\n\r\t\a]+)';
/**
* What we're allowed to do as far as permissions go. This changes based on the value of the "auth" URI param.
@@ -576,10 +577,21 @@
// Initialize our success switch
$success = false;
+ // Escaped username
+ $db_username = $this->prepare_text(strtolower($username));
+
// Select the user data from the table, and decrypt that so we can verify the password
- $this->sql('SELECT password,old_encryption,user_id,user_level,theme,style,temp_password,temp_password_time FROM '.table_prefix.'users WHERE lcase(username)=\''.$this->prepare_text(strtolower($username)).'\';');
+ $this->sql('SELECT password,old_encryption,user_id,user_level,theme,style,temp_password,temp_password_time FROM '.table_prefix.'users WHERE lcase(username)=\''.$db_username.'\' OR username=\'' . $db_username . '\';');
if($db->numrows() < 1)
- return 'The username and/or password is incorrect.';
+ {
+ // This wasn't logged in <1.0.2, dunno how it slipped through
+ if($level > USER_LEVEL_MEMBER)
+ $this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary,page_text) VALUES(\'security\', \'admin_auth_bad\', '.time().', \''.date('d M Y h:i a').'\', \''.$db->escape($username).'\', \''.$db->escape($_SERVER['REMOTE_ADDR']).'\', ' . intval($level) . ')');
+ else
+ $this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary) VALUES(\'security\', \'auth_bad\', '.time().', \''.date('d M Y h:i a').'\', \''.$db->escape($username).'\', \''.$db->escape($_SERVER['REMOTE_ADDR']).'\')');
+
+ return "The username and/or password is incorrect.";
+ }
$row = $db->fetchrow();
// Check to see if we're logging in using a temporary password
@@ -1392,24 +1404,51 @@
$username = $this->prepare_text($username);
$email = $this->prepare_text($email);
$real_name = $this->prepare_text($real_name);
- $password = $aes->encrypt($password, $this->private_key, ENC_HEX);
$nameclause = ( $real_name != '' ) ? ' OR real_name=\''.$real_name.'\'' : '';
$q = $this->sql('SELECT * FROM '.table_prefix.'users WHERE lcase(username)=\''.strtolower($username).'\' OR email=\''.$email.'\''.$nameclause.';');
- if($db->numrows() > 0) {
+ if($db->numrows() > 0)
+ {
$r = 'The ';
$i=0;
$row = $db->fetchrow();
// Wow! An error checker that actually speaks English with the properest grammar! :-P
- if($row['username'] == $username) { $r .= 'username'; $i++; }
- if($row['email'] == $email) { if($i) $r.=', '; $r .= 'e-mail address'; $i++; }
- if($row['real_name'] == $real_name && $real_name != '') { if($i) $r.=', and '; $r .= 'real name'; $i++; }
+ if ( $row['username'] == $username )
+ {
+ $r .= 'username';
+ $i++;
+ }
+ if ( $row['email'] == $email )
+ {
+ if($i) $r.=', ';
+ $r .= 'e-mail address';
+ $i++;
+ }
+ if ( $row['real_name'] == $real_name && $real_name != '' )
+ {
+ if($i) $r.=', and ';
+ $r .= 'real name';
+ $i++;
+ }
$r .= ' that you entered ';
$r .= ( $i == 1 ) ? 'is' : 'are';
$r .= ' already in use by another user.';
return $r;
}
+ // Is the password strong enough?
+ if ( getConfig('pw_strength_enable') )
+ {
+ $min_score = intval( getConfig('pw_strength_minimum') );
+ $pass_score = password_score($password);
+ if ( $pass_score < $min_score )
+ {
+ return 'The password you entered did not meet the complexity requirements for this site. Please choose a stronger password.';
+ }
+ }
+
+ $password = $aes->encrypt($password, $this->private_key, ENC_HEX);
+
// Require the account to be activated?
switch(getConfig('account_activation'))
{