includes/sessions.php
changeset 133 af0f6ec48de3
parent 131 f59a8881f7e9
child 135 c5dbad7ec2d0
--- a/includes/sessions.php	Mon Sep 17 11:52:58 2007 -0400
+++ b/includes/sessions.php	Tue Sep 18 00:30:43 2007 -0400
@@ -150,7 +150,8 @@
    * @var string
    */
    
-   var $valid_username = '([A-Za-z0-9 \!\@\(\)-]+)';
+  //var $valid_username = '([A-Za-z0-9 \!\@\(\)-]+)';
+  var $valid_username = '([^<>_&\?\'"%\n\r\t\a]+)';
    
   /**
    * What we're allowed to do as far as permissions go. This changes based on the value of the "auth" URI param.
@@ -576,10 +577,21 @@
     // Initialize our success switch
     $success = false;
     
+    // Escaped username
+    $db_username = $this->prepare_text(strtolower($username));
+    
     // Select the user data from the table, and decrypt that so we can verify the password
-    $this->sql('SELECT password,old_encryption,user_id,user_level,theme,style,temp_password,temp_password_time FROM '.table_prefix.'users WHERE lcase(username)=\''.$this->prepare_text(strtolower($username)).'\';');
+    $this->sql('SELECT password,old_encryption,user_id,user_level,theme,style,temp_password,temp_password_time FROM '.table_prefix.'users WHERE lcase(username)=\''.$db_username.'\' OR username=\'' . $db_username . '\';');
     if($db->numrows() < 1)
-      return 'The username and/or password is incorrect.';
+    {
+      // This wasn't logged in <1.0.2, dunno how it slipped through
+      if($level > USER_LEVEL_MEMBER)
+        $this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary,page_text) VALUES(\'security\', \'admin_auth_bad\', '.time().', \''.date('d M Y h:i a').'\', \''.$db->escape($username).'\', \''.$db->escape($_SERVER['REMOTE_ADDR']).'\', ' . intval($level) . ')');
+      else
+        $this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary) VALUES(\'security\', \'auth_bad\', '.time().', \''.date('d M Y h:i a').'\', \''.$db->escape($username).'\', \''.$db->escape($_SERVER['REMOTE_ADDR']).'\')');
+        
+      return "The username and/or password is incorrect.";
+    }
     $row = $db->fetchrow();
     
     // Check to see if we're logging in using a temporary password
@@ -1392,24 +1404,51 @@
     $username = $this->prepare_text($username);
     $email = $this->prepare_text($email);
     $real_name = $this->prepare_text($real_name);
-    $password = $aes->encrypt($password, $this->private_key, ENC_HEX);
     
     $nameclause = ( $real_name != '' ) ? ' OR real_name=\''.$real_name.'\'' : '';
     $q = $this->sql('SELECT * FROM '.table_prefix.'users WHERE lcase(username)=\''.strtolower($username).'\' OR email=\''.$email.'\''.$nameclause.';');
-    if($db->numrows() > 0) {
+    if($db->numrows() > 0)
+    {
       $r = 'The ';
       $i=0;
       $row = $db->fetchrow();
       // Wow! An error checker that actually speaks English with the properest grammar! :-P
-      if($row['username'] == $username) { $r .= 'username'; $i++; }
-      if($row['email'] == $email) { if($i) $r.=', '; $r .= 'e-mail address'; $i++; }
-      if($row['real_name'] == $real_name && $real_name != '') { if($i) $r.=', and '; $r .= 'real name'; $i++; }
+      if ( $row['username'] == $username )
+      {
+        $r .= 'username';
+        $i++;
+      }
+      if ( $row['email'] == $email )
+      {
+        if($i) $r.=', ';
+        $r .= 'e-mail address';
+        $i++;
+      }
+      if ( $row['real_name'] == $real_name && $real_name != '' )
+      {
+        if($i) $r.=', and ';
+        $r .= 'real name';
+        $i++;
+      }
       $r .= ' that you entered ';
       $r .= ( $i == 1 ) ? 'is' : 'are';
       $r .= ' already in use by another user.';
       return $r;
     }
     
+    // Is the password strong enough?
+    if ( getConfig('pw_strength_enable') )
+    {
+      $min_score = intval( getConfig('pw_strength_minimum') );
+      $pass_score = password_score($password);
+      if ( $pass_score < $min_score )
+      {
+        return 'The password you entered did not meet the complexity requirements for this site. Please choose a stronger password.';
+      }
+    }
+    
+    $password = $aes->encrypt($password, $this->private_key, ENC_HEX);
+    
     // Require the account to be activated?
     switch(getConfig('account_activation'))
     {