diff --git a/core/compat.inc.php b/core/compat.inc.php new file mode 100644 index 00000000..3c35e355 --- /dev/null +++ b/core/compat.inc.php @@ -0,0 +1,93 @@ += 5.2.1) +# Based on http://www.phpit.net/ +# article/creating-zip-tar-archives-dynamically-php/2/ +if(!function_exists('sys_get_temp_dir')) { +function sys_get_temp_dir() { + // Try to get from environment variable + if(!empty($_ENV['TMP'])) { + return realpath($_ENV['TMP']); + } + else if(!empty($_ENV['TMPDIR'])) { + return realpath($_ENV['TMPDIR']); + } + else if(!empty($_ENV['TEMP'])) { + return realpath($_ENV['TEMP']); + } + + // Detect by creating a temporary file + else { + // Try to use system's temporary directory + // as random name shouldn't exist + $temp_file = tempnam(md5(uniqid(rand(), TRUE)), ''); + if($temp_file) { + $temp_dir = realpath(dirname($temp_file)); + unlink($temp_file); + return $temp_dir; + } + else { + return FALSE; + } + } +} +} + +# (PHP >= 5.1) +# from http://www.php.net/inet_pton +if(!function_exists('inet_pton')) { +function inet_pton($ip) { + # ipv4 + if(strpos($ip, '.') !== FALSE) { + $ip = pack('N',ip2long($ip)); + } + # ipv6 + else if(strpos($ip, ':') !== FALSE) { + $ip = explode(':', $ip); + $res = str_pad('', (4*(8-count($ip))), '0000', STR_PAD_LEFT); + foreach($ip as $seg) { + $res .= str_pad($seg, 4, '0', STR_PAD_LEFT); + } + $ip = pack('H'.strlen($res), $res); + } + return $ip; +} +} + +# (PHP >= 5.1) +# from http://www.php.net/inet_ntop +if(!function_exists('inet_ntop')) { +function inet_ntop($ip) { + if (strlen($ip)==4) { + // ipv4 + list(,$ip)=unpack('N',$ip); + $ip=long2ip($ip); + } elseif(strlen($ip)==16) { + // ipv6 + $ip=bin2hex($ip); + $ip=substr(chunk_split($ip,4,':'),0,-1); + $ip=explode(':',$ip); + $res=''; + foreach($ip as $seg) { + while($seg{0}=='0') $seg=substr($seg,1); + if ($seg!='') { + $res.=($res==''?'':':').$seg; + } else { + if (strpos($res,'::')===false) { + if (substr($res,-1)==':') continue; + $res.=':'; + continue; + } + $res.=($res==''?'':':').'0'; + } + } + $ip=$res; + } + return $ip; +} +} +?> diff --git a/core/database.class.php b/core/database.class.php index 1be513dd..e179ec72 100644 --- a/core/database.class.php +++ b/core/database.class.php @@ -355,7 +355,7 @@ class Database { public function get_user_session($name, $session) { $row = $this->db->GetRow("{$this->SELECT_USER} WHERE name LIKE ? AND md5(concat(pass, ?)) = ?", - array($name, $_SERVER['REMOTE_ADDR'], $session)); + array($name, get_session_ip(), $session)); return $row ? new User($row) : null; } diff --git a/core/util.inc.php b/core/util.inc.php index 731e9592..daadb0df 100644 --- a/core/util.inc.php +++ b/core/util.inc.php @@ -199,6 +199,21 @@ function get_memory_limit() { return $memory; } +function get_session_ip() { + global $config; + + $mask = $config->get_string("session_hash_mask"); + if(!$mask) { + $config->set_string("session_hash_mask", "255.255.0.0"); + $mask = "255.255.0.0"; + } + + $addr = $_SERVER['REMOTE_ADDR']; + $addr = inet_ntop(inet_pton($addr) & inet_pton($mask)); + + return $addr; +} + /* * PHP really, really sucks. */ @@ -317,39 +332,6 @@ function array_contains($array, $target) { return false; } -# (PHP 5 >= 5.2.1) -if(!function_exists('sys_get_temp_dir')) { - // Based on http://www.phpit.net/ - // article/creating-zip-tar-archives-dynamically-php/2/ - function sys_get_temp_dir() { - // Try to get from environment variable - if(!empty($_ENV['TMP'])) { - return realpath($_ENV['TMP']); - } - else if(!empty($_ENV['TMPDIR'])) { - return realpath($_ENV['TMPDIR']); - } - else if(!empty($_ENV['TEMP'])) { - return realpath($_ENV['TEMP']); - } - - // Detect by creating a temporary file - else { - // Try to use system's temporary directory - // as random name shouldn't exist - $temp_file = tempnam(md5(uniqid(rand(), TRUE)), ''); - if($temp_file) { - $temp_dir = realpath(dirname($temp_file)); - unlink($temp_file); - return $temp_dir; - } - else { - return FALSE; - } - } - } -} - // from http://uk.php.net/network function ip_in_range($IP, $CIDR) { list ($net, $mask) = split ("/", $CIDR); diff --git a/ext/user/main.php b/ext/user/main.php index 87534de2..42362416 100644 --- a/ext/user/main.php +++ b/ext/user/main.php @@ -186,7 +186,6 @@ class UserPage extends Extension { $name = $_POST['user']; $pass = $_POST['pass']; - $addr = $_SERVER['REMOTE_ADDR']; $hash = md5(strtolower($name) . $pass); $duser = $database->get_user_by_name_and_hash($name, $hash); @@ -224,7 +223,6 @@ class UserPage extends Extension { private function create_user($event) { global $database; - $addr = $_SERVER['REMOTE_ADDR']; $hash = md5(strtolower($event->username) . $event->password); $email = (!empty($event->email)) ? $event->email : null; @@ -236,7 +234,7 @@ class UserPage extends Extension { private function set_login_cookie($name, $pass) { global $config; - $addr = $_SERVER['REMOTE_ADDR']; + $addr = get_session_ip(); $hash = md5(strtolower($name) . $pass); setcookie("shm_user", $name, @@ -274,7 +272,6 @@ class UserPage extends Extension { } else { global $config; - $addr = $_SERVER['REMOTE_ADDR']; // FIXME: send_event() $duser->set_password($pass1); diff --git a/install.php b/install.php index 0e3c8895..39c3e823 100644 --- a/install.php +++ b/install.php @@ -51,6 +51,7 @@ if(is_readable("config.php")) { echo "'config.php' exists -- install function is disabled"; exit; } +require_once "core/compat.inc.php"; require_once "lib/adodb/adodb.inc.php"; require_once "lib/adodb/adodb-xmlschema03.inc.php"; @@ -160,6 +161,7 @@ function install_process() { // {{{ } // }}} function set_admin_cookie($admin_name, $admin_pass) { // {{{ $addr = $_SERVER['REMOTE_ADDR']; + $addr = inet_ntop(inet_pton($addr) & inet_pton("255.255.0.0")); $hash = md5(strtolower($admin_name) . $admin_pass); setcookie("shm_user", $admin_name, time()+60*60*24*365); setcookie("shm_session", md5($hash.$addr), time()+60*60*24*7, "/");