Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Comparing changes

Choose two branches to see what's changed or to start a new pull request. If you need to, you can also compare across forks.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also compare across forks.
...
Checking mergeability… Don't worry, you can still create the pull request.
  • 5 commits
  • 19 files changed
  • 0 commit comments
  • 2 contributors
View
2  datas/cache/templates/index.html
@@ -0,0 +1,2 @@
+<h1>Forbidden</h1>
+<!-- No directory listing available -->
View
2  datas/config-sample.php
@@ -27,6 +27,8 @@
// ========================
$cfg['mainurl'] = 'http://localhost';
+$cfg['site_id'] = 'Some unique string specific to your site';
+$cfg['secret_key'] = 'Secret key used for authentication, make it unique and keep in secret!';
// ========================
// Default skin and default language
View
7 plugins/passrecover/passrecover.php
@@ -116,7 +116,12 @@ function sed_randompass()
$validationkey = md5(microtime());
$newpass = sed_randompass();
- $sql = sed_sql_query("UPDATE $db_users SET user_password='".md5($newpass)."', user_lostpass='$validationkey' WHERE user_id='$ruserid'");
+ $ruserpass = array();
+ $ruserpass['user_passsalt'] = sed_unique(16);
+ $ruserpass['user_passfunc'] = empty($cfg['hashfunc']) ? 'sha256' : $cfg['hashfunc'];
+ $ruserpass['user_password'] = sed_hash($newpass, $ruserpass['user_passsalt'], $ruserpass['user_passfunc']);
+ $ruserpass['user_lostpass'] = $validationkey;
+ sed_sql_update($db_users, "user_id=$ruserid", $ruserpass);
$rsubject = $cfg['maintitle']." - ".$L['plu_title'];
$rbody = $L['Hi']." ".$rusername.",\n\n".$L['plu_email2']."\n\n".$newpass. "\n\n".$L['aut_contactadmin'];
View
1  plugins/tags/lang/tags.en.lang.php
@@ -41,6 +41,7 @@
$L['cfg_order'] = array('Cloud output order &mdash; alphabetical, descending frequency or random');
$L['cfg_pages'] = array('Enable tags in pages');
$L['cfg_perpage'] = array('Tags displayed per page in standalone cloud, 0 is all at once');
+$L['cfg_sort'] = array('Default sorting column for tag search results');
$L['cfg_title'] = array('Capitalize first letters of keywords');
$L['cfg_translit'] = array('Transliterate tags in URLs');
View
1  plugins/tags/lang/tags.ru.lang.php
@@ -47,6 +47,7 @@
$L['cfg_order'] = array('Сортировка облака тегов','по алфавиту, по убыванию частотности, случайным образом');
$L['cfg_pages'] = array('Включить теги для страниц');
$L['cfg_perpage'] = array('Тегов на странице в облаке всех тегов, 0 - все теги сразу');
+$L['cfg_sort'] = array('Сортировка по умолчанию в результатах поиска по тегам');
$L['cfg_title'] = array('Первые буквы тегов прописными');
$L['cfg_translit'] = array('Транслитерировать теги в URL-адресах');
View
4 plugins/tags/tags.php
@@ -39,6 +39,10 @@
// Sorting order
$o = sed_import('order', 'P', 'ALP');
+if (empty($o))
+{
+ $o = mb_strtolower($cfg['plugin']['tags']['sort']);
+}
$tag_order = '';
$tag_orders = array('Title', 'Date', 'Category');
foreach ($tag_orders as $order)
View
7 plugins/tags/tags.setup.php
@@ -4,10 +4,10 @@
Code=tags
Name=Tags
Description=Basic Tags implementation
-Version=0.0.6
-Date=2009-jun-28
+Version=0.6.24
+Date=2012-07-30
Author=Trustmaster
-Copyright=All rights reserved (c) 2008-2009, Vladimir Sibirov.
+Copyright=All rights reserved (c) 2008-2012, Vladimir Sibirov.
Notes=BSD License.
SQL=
Auth_guests=R
@@ -29,6 +29,7 @@
more=10:radio::1:Show 'All tags' link in tag clouds
perpage=11:string::0:Tags displayed per page in standalone cloud, 0 is all at once
index=12:select:pages,forums,all:pages:Index page tag cloud area
+sort=31:select:ID,Title,Date,Category:ID:Default sorting column for tag search results
[END_SED_EXTPLUGIN_CONFIG]
==================== */
View
6 sql/cotonti-install.sql
@@ -320,6 +320,7 @@ INSERT INTO `sed_config` (`config_owner`, `config_cat`, `config_order`, `config_
('core', 'main', '20', 'shieldzhammer', 2, '25', '', ''),
('core', 'main', '30', 'jquery', 3, '1', '', ''),
('core', 'main', '31', 'turnajax', 3, '1', '1', ''),
+('core', 'main', '42', 'hashfunc', 1, 'sha256', '',''),
('core', 'parser', '10', 'parser_custom', 3, '0', '', ''),
('core', 'parser', '10', 'parser_cache', 3, '1', '', ''),
('core', 'parser', '10', 'parser_disable', 3, '0', '', ''),
@@ -493,6 +494,7 @@ INSERT INTO `sed_config` (`config_owner`, `config_cat`, `config_order`, `config_
('plug', 'tags', '9', 'lim_index', 1, '0', '', ' Limit of tags in a cloud displayed on index, 0 is unlimited'),
('plug', 'tags', '10', 'more', 3, '1', '', 'Show All Tags link in tag clouds'),
('plug', 'tags', '12', 'index', 2, 'pages', 'pages,forums,all', 'Index page tag cloud area'),
+('plug', 'tags', '31', 'sort', 2, 'ID', 'ID,Title,Date,Category', 'Default sorting column for tag search results'),
('core', 'comments', '03', 'expand_comments', 3, '1', '', ''),
('core', 'ratings', '02', 'ratings_allowchange', 3, '0', '', ''),
('core', 'comments', '04', 'maxcommentsperpage', 2, '15', '', ''),
@@ -977,7 +979,9 @@ CREATE TABLE `sed_users` (
`user_id` int(11) unsigned NOT NULL auto_increment,
`user_banexpire` int(11) default '0',
`user_name` varchar(100) collate utf8_unicode_ci NOT NULL,
- `user_password` varchar(32) collate utf8_unicode_ci NOT NULL default '',
+ `user_password` varchar(224) collate utf8_unicode_ci NOT NULL default '',
+ `user_passfunc` VARCHAR(32) NOT NULL default 'sha256',
+ `user_passsalt` VARCHAR(16) NOT NULL default '',
`user_maingrp` int(11) NOT NULL default '4',
`user_country` char(2) collate utf8_unicode_ci NOT NULL default '',
`user_text` text collate utf8_unicode_ci NOT NULL,
View
9 sql/patch-0.6.23-0.6.24.sql
@@ -0,0 +1,9 @@
+ALTER TABLE `sed_users` MODIFY `user_password` varchar(224) collate utf8_unicode_ci NOT NULL default '';
+ALTER TABLE `sed_users` ADD `user_passfunc` VARCHAR(32) NOT NULL default 'sha256';
+ALTER TABLE `sed_users` ADD `user_passsalt` VARCHAR(16) NOT NULL default '';
+
+UPDATE `sed_users` SET `user_passfunc` = 'md5';
+
+INSERT INTO `sed_config` (`config_owner`, `config_cat`, `config_order`, `config_name`, `config_type`, `config_value`, `config_default`, `config_text`) VALUES
+('core', 'main', '42', 'hashfunc', 1, 'sha256', '',''),
+('plug', 'tags', '31', 'sort', 2, 'ID', 'ID,Title,Date,Category', 'Default sorting column for tag search results');
View
10 system/common.php
@@ -51,7 +51,7 @@ function sed_disable_mqgpc(&$value, $key)
}
// Mbstring options
-mb_internal_encoding($cfg['charset']);
+mb_internal_encoding('UTF-8');
/* ======== Extra settings (the other presets are in functions.php) ======== */
@@ -226,14 +226,14 @@ function sed_disable_mqgpc(&$value, $key)
{
$u = empty($_SESSION[$site_id]) ? explode(':', base64_decode($_COOKIE[$site_id])) : explode(':', base64_decode($_SESSION[$site_id]));
$u_id = (int) sed_import($u[0], 'D', 'INT');
- $u_sid = sed_sql_prep($u[1]);
+ $u_sid = $u[1];
if ($u_id > 0)
{
- $sql = sed_sql_query("SELECT * FROM $db_users WHERE user_id = $u_id AND user_sid = '$u_sid'");
-
+ $sql = sed_sql_query("SELECT * FROM $db_users WHERE user_id = $u_id");
if ($row = sed_sql_fetcharray($sql))
{
- if ($row['user_maingrp'] > 3
+ if ($u_sid == hash_hmac('sha1', $row['user_sid'], $cfg['secret_key'])
+ && $row['user_maingrp'] > 3
&& ($cfg['ipcheck'] == FALSE || $row['user_lastip'] == $usr['ip'])
&& $row['user_sidtime'] + $cfg['cookielifetime'] > $sys['now_offset'])
{
View
2  system/core/admin/admin.hits.inc.php
@@ -37,7 +37,7 @@
if($f == 'year' || $f == 'month')
{
$adminpath[] = array(sed_url('admin', 'm=hits&f='.$f.'&v='.$v), "(".$v.")");
- $sql = sed_sql_query("SELECT * FROM $db_stats WHERE stat_name LIKE '$v%' ORDER BY stat_name DESC");
+ $sql = sed_sql_query("SELECT * FROM $db_stats WHERE stat_name LIKE '".sed_sql_prep($v)."%' ORDER BY stat_name DESC");
while($row = sed_sql_fetcharray($sql))
{
View
14 system/core/users/users.auth.inc.php
@@ -34,7 +34,7 @@
/* ===== */
$rusername = sed_import('rusername','P','TXT', 100, TRUE);
- $rpassword = sed_import('rpassword','P','PSW', 16, TRUE);
+ $rpassword = sed_import('rpassword','P','TXT', 16, TRUE);
$rcookiettl = sed_import('rcookiettl', 'P', 'INT');
$rremember = sed_import('rremember', 'P', 'BOL');
if(empty($rremember) && $rcookiettl > 0 || $cfg['forcerememberme'])
@@ -46,6 +46,15 @@
$login_param = preg_match('#^[\w\p{L}][\.\w\p{L}\-]*@[\w\p{L}\.\-]+\.[\w\p{L}]+$#u', $rusername) ?
'user_email' : 'user_name';
+ // Load salt and algo from db
+ $sql = sed_sql_query("SELECT user_passsalt, user_passfunc FROM $db_users WHERE $login_param='".sed_sql_prep($rusername)."'");
+ if (sed_sql_numrows($sql) == 1)
+ {
+ $hash_params = sed_sql_fetchassoc($sql);
+ $rmdpass = sed_hash($rpassword, $hash_params['user_passsalt'], $hash_params['user_passfunc']);
+ unset($hash_params);
+ }
+
/**
* Sets user selection criteria for authentication. Override this string in your plugin
* hooking into users.auth.check.query to provide other authentication methods.
@@ -108,6 +117,9 @@
sed_sql_query("UPDATE $db_users SET user_lastip='{$usr['ip']}', user_lastlog = {$sys['now_offset']}, user_logcount = user_logcount + 1, user_token = '$token' $update_sid WHERE user_id={$row['user_id']}");
+ // Hash the sid once more so it can't be faked even if you know user_sid
+ $sid = hash_hmac('sha1', $sid, $cfg['secret_key']);
+
$u = base64_encode($ruserid.':'.$sid);
if($rremember)
View
19 system/core/users/users.edit.inc.php
@@ -110,7 +110,7 @@
$ruserextrafields[] = $import;
$urr['user_'.$row[ 'field_name']] = $import;
}
-
+
if ($ruserdelete)
{
if ($sys['user_istopadmin'] && !$sys['edited_istopadmin'])
@@ -138,7 +138,18 @@
if (empty($error_string))
{
- $ruserpassword = (mb_strlen($rusernewpass)>0) ? md5($rusernewpass) : $urr['user_password'];
+ if (mb_strlen($rusernewpass) > 0)
+ {
+ $ruser['user_passsalt'] = sed_unique(16);
+ $ruser['user_passfunc'] = empty($cfg['hashfunc']) ? 'sha256' : $cfg['hashfunc'];
+ $ruser['user_password'] = sed_hash($rusernewpass, $ruser['user_passsalt'], $ruser['user_passfunc']);
+ }
+ else
+ {
+ $ruser['user_password'] = $urr['user_password'];
+ $ruser['user_passsalt'] = $urr['user_passsalt'];
+ $ruser['user_passfunc'] = $urr['user_passfunc'];
+ }
if ($rusername=='')
{ $rusername = $urr['user_name']; }
@@ -192,7 +203,9 @@
$ssql = "UPDATE $db_users SET
user_banexpire='$rbanexpire',
user_name='".sed_sql_prep($rusername)."',
- user_password='".sed_sql_prep($ruserpassword)."',
+ user_password='".sed_sql_prep($ruser['user_password'])."',
+ user_passsalt='".sed_sql_prep($ruser['user_passsalt'])."',
+ user_passfunc='".sed_sql_prep($ruser['user_passfunc'])."',
user_country='".sed_sql_prep($rusercountry)."',
user_text='".sed_sql_prep($rusertext)."',
user_avatar='".sed_sql_prep($ruseravatar)."',
View
4 system/core/users/users.logout.inc.php
@@ -41,11 +41,11 @@
sed_sql_query("UPDATE $db_users SET user_lastvisit = {$sys['now_offset']} WHERE user_id = " . $usr['id']);
sed_sql_query("DELETE FROM $db_online WHERE online_ip='{$usr['ip']}'");
- $all = cot_import('all', 'G', 'BOL');
+ $all = sed_import('all', 'G', 'BOL');
if ($all)
{
// Log out on all devices
- $db->update($db_users, array('user_sid' => ''), "user_id = " . $usr['id']);
+ sed_sql_query("UPDATE $db_users SET user_sid = '' WHERE user_id = " . $usr['id']);
}
sed_uriredir_redirect(empty($redirect) ? sed_url('index') : base64_decode($redirect));
View
21 system/core/users/users.register.inc.php
@@ -112,7 +112,10 @@
else
{ $defgroup = ($cfg['regnoactivation']) ? 4 : 2; }
- $mdpass = md5($rpassword1);
+ $ruser['user_passsalt'] = sed_unique(16);
+ $ruser['user_passfunc'] = empty($cfg['hashfunc']) ? 'sha256' : $cfg['hashfunc'];
+ $ruser['user_password'] = sed_hash($rpassword1, $ruser['user_passsalt'], $ruser['user_passfunc']);
+
if ($rmonth=='x' || $rday=='x' || $ryear=='x' || empty($rmonth) || empty($rday) || empty($ryear))
{
$ruserbirthdate = '0000-00-00';
@@ -144,6 +147,8 @@
$ssql = "INSERT into $db_users
(user_name,
user_password,
+ user_passsalt,
+ user_passfunc,
user_maingrp,
user_country,
user_location,
@@ -169,7 +174,9 @@
user_lastip)
VALUES
('".sed_sql_prep($rusername)."',
- '$mdpass',
+ '".sed_sql_prep($ruser['user_password'])."',
+ '".sed_sql_prep($ruser['user_passsalt'])."',
+ '".sed_sql_prep($ruser['user_passfunc'])."',
".(int)$defgroup.",
'".sed_sql_prep($rcountry)."',
'".sed_sql_prep($rlocation)."',
@@ -250,7 +257,7 @@
if ($row = sed_sql_fetcharray($sql))
{
-
+
if ($row['user_maingrp'] == 2)
{
@@ -307,10 +314,10 @@
$timezonelist = array ('-12', '-11', '-10', '-09', '-08', '-07', '-06', '-05', '-04', '-03', '-03.5', '-02', '-01', '+00', '+01', '+02', '+03', '+03.5', '+04', '+04.5', '+05', '+05.5', '+06', '+07', '+08', '+09', '+09.5', '+10', '+11', '+12');
$form_timezone = "<select name=\"rtimezone\" size=\"1\">";
-foreach($timezonelist as $x)
-{
- $f = (float) $x;
- $selected = ($f==$rtimezone) ? "selected=\"selected\"" : '';
+foreach($timezonelist as $x)
+{
+ $f = (float) $x;
+ $selected = ($f==$rtimezone) ? "selected=\"selected\"" : '';
$form_timezone .= "<option value=\"$f\" $selected>GMT ".$x."</option>";
}
$form_timezone .= "</select> ".$usr['gmttime']." / ".date($cfg['dateformat'], $sys['now_offset'] + $usr['timezone']*3600)." ".$usr['timetext'];
View
1  system/functions.admin.php
@@ -261,6 +261,7 @@ function sed_loadconfigmap()
$result[] = array ('main', '29', 'redirbkonlogout', 3, '0', ''); // N-0.6.1
$result[] = array ('main', '30', 'jquery', 3, '1', '');
$result[] = array ('main', '31', 'turnajax', 3, '1', '');
+ $result[] = array ('main', '42', 'hashfunc', 1, 'sha256', '');
$result[] = array ('parser', '10', 'parser_cache', 3, '1', '');
$result[] = array ('parser', '10', 'parser_custom', 3, '0', '');
$result[] = array ('parser', '10', 'parser_disable', 3, '0', '');
View
90 system/functions.php
@@ -3,7 +3,7 @@
* Main function library.
*
* @package Cotonti
- * @version 0.6.23
+ * @version 0.6.24
* @author Neocrome, Cotonti Team
* @copyright Copyright (c) 2008-2011 Cotonti Team
* @license BSD License
@@ -37,8 +37,8 @@
//unset ($warnings, $moremetas, $morejavascript, $error_string, $sed_cat, $sed_smilies, $sed_acc, $sed_catacc, $sed_rights, $sed_config, $sql_config, $sed_usersonline, $sed_plugins, $sed_groups, $rsedition, $rseditiop, $rseditios, $tcount, $qcount)
$cfg['svnrevision'] = '$Rev$'; //DO NOT MODIFY this is set by SVN automatically
-$cfg['version'] = '0.6.23';
-$cfg['dbversion'] = '0.6.23';
+$cfg['version'] = '0.6.24';
+$cfg['dbversion'] = '0.6.24';
if($cfg['customfuncs'])
{
@@ -56,6 +56,11 @@
}
/**
+ * Registry for hash functions
+ */
+$sed_hash_funcs = array('md5', 'sha1', 'sha256');
+
+/**
* Strips everything but alphanumeric, hyphens and underscores
*
* @param string $text Input
@@ -1169,7 +1174,7 @@ function sed_build_extrafields($rowname, $tpl_tag, $extrafields, $data=array(),
isset($L[$rowname.'_'.$row['field_name'].'_title']) ? $t->assign($tpl_tag.'_'.strtoupper($row['field_name']).'_TITLE', $L[$rowname.'_'.$row['field_name'].'_title']) : $t->assign($tpl_tag.'_'.strtoupper($row['field_name']).'_TITLE', $row['field_description']);
$t1 = $tpl_tag.'_'.strtoupper($row['field_name']);
$t2 = $row['field_html'];
- switch($row['field_type'])
+ switch($row['field_type'])
{
case "input":
$t2 = str_replace('<input ','<input name="'.$importrowname.$row['field_name'].'" ', $t2);
@@ -1206,10 +1211,10 @@ function sed_build_extrafields($rowname, $tpl_tag, $extrafields, $data=array(),
{
$var_text = (!empty($L[$rowname.'_'.$row['field_name'].'_'.$var])) ? $L[$rowname.'_'.$row['field_name'].'_'.$var] : $var;
$sel = ($var == $data[$rowname.'_'.$row['field_name']]) ? ' checked="checked"' : '';
- $buttons .= str_replace('/>', 'value="'.$var.'"'.$sel.' />'.$var_text.'&nbsp;&nbsp;', $t2);
+ $buttons .= str_replace('/>', 'value="'.$var.'"'.$sel.' />'.$var_text.'&nbsp;&nbsp;', $t2);
}
$t2 = $buttons;
- break;
+ break;
}
$return_arr[$t1] = $t2;
}
@@ -2073,6 +2078,75 @@ function sed_check_xp()
}
/**
+ * Hashes a value with given salt and specified hash algo.
+ *
+ * @global array $sed_hash_func
+ * @param string $data Data to be hash-protected
+ * @param string $salt Hashing salt, usually a random value
+ * @param string $algo Hashing algo name, must be registered in $sed_hash_funcs
+ * @return string Hashed value
+ */
+function sed_hash($data, $salt = '', $algo = 'sha256')
+{
+ global $cfg, $sed_hash_funcs;
+ if (isset($cfg['hashsalt']) && !empty($cfg['hashsalt']))
+ {
+ // Extra salt for extremely secure sites
+ $salt .= $cfg['hashsalt'];
+ }
+ $func = (in_array($algo, $sed_hash_funcs) && function_exists('sed_hash_' . $algo)) ? 'sed_hash_' . $algo : 'sed_hash_sha256';
+ return $func($data, $salt);
+}
+
+/**
+ * Returns the list of available hash algos for use with configs.
+ *
+ * @global array $sed_hash_func
+ * @return array
+ */
+function sed_hash_funcs()
+{
+ global $sed_hash_funcs;
+ return $sed_hash_funcs;
+}
+
+/**
+ * Simple MD5 hash wrapper. Old passwords use this func.
+ *
+ * @param string $data Data to be hashed
+ * @param string $salt Hashing salt, usually a random value
+ * @return string MD5 hash of the data
+ */
+function sed_hash_md5($data, $salt)
+{
+ return md5($data . $salt);
+}
+
+/**
+ * SHA1 hash func for use with sed_hash().
+ *
+ * @param string $data Data to be hashed
+ * @param string $salt Hashing salt, usually a random value
+ * @return string SHA1 hash of the data
+ */
+function sed_hash_sha1($data, $salt)
+{
+ return hash('sha1', $data . $salt);
+}
+
+/**
+ * SHA256 hash func for use with sed_hash(). Default since Cotonti 0.9.11.
+ *
+ * @param string $data Data to be hashed
+ * @param string $salt Hashing salt, usually a random value
+ * @return string SHA256 hash of the data
+ */
+function sed_hash_sha256($data, $salt)
+{
+ return hash('sha256', $data . $salt);
+}
+
+/**
* Truncates a post and makes sure parsing is correct
*
* @param string $text Post text
@@ -4644,7 +4718,7 @@ function sed_load_urltrans()
* Splits a query string into keys and values array. In comparison with built-in
* parse_str() function, this doesn't apply addslashes and urldecode to parameters
* and does not support arrays and complex parameters.
- *
+ *
* @param string $str Query string
* @return array
*/
@@ -5127,7 +5201,7 @@ function sed_extrafield_update($sql_table, $oldname, $name, $type, $html, $varia
if ($description != $field['field_description'])
$extf['description'] = $description;
$step1 = sed_sql_update($db_extra_fields, "field_name = '$oldname' AND field_location='$sql_table'", $extf, 'field_') == 1;
-
+
if (!$alter) return $step1;
switch ($type)
View
1  system/lang/en/admin.lang.php
@@ -82,6 +82,7 @@
$L['cfg_devmode'] = array('Debugging mode', 'Don\'t let this enabled on live sites');
$L['cfg_disablehitstats'] = array('Disable hit statistics', 'Referers and hits per day');
$L['cfg_gzip'] = array('Gzip', 'Gzip compression of the HTML output');
+$L['cfg_hashfunc'] = array('Default hash function', 'Used to hash passwords');
$L['cfg_hostip'] = array('Server IP', 'The IP of the server, optional.');
$L['cfg_jquery'] = array('Enable jQuery', ''); // New in N-0.0.1
$L['cfg_maintenance'] = array('Maintenance mode', 'Let only authorized personel access to site'); // New in N-0.0.2
View
1  system/lang/ru/admin.lang.php
@@ -82,6 +82,7 @@
$L['cfg_devmode'] = array('Режим отладки', 'Только для отладки под localhost');
$L['cfg_disablehitstats'] = array('Отключить статистику', 'Рефереры и хиты за день');
$L['cfg_gzip'] = array('Gzip', 'Gzip-сжатие для исходящего HTML-кода');
+$L['cfg_hashfunc'] = array('Функция хеширования по умолчанию', 'Используется для хеширования паролей');
$L['cfg_hostip'] = array('IP-адрес сервера', 'Необязательно');
$L['cfg_jquery'] = array('Включить jQuery', ' '); // New in N-0.0.1
$L['cfg_maintenance'] = array('Режим обслуживания', 'Доступа к сайту разрешен только администраторам'); // New in N-0.0.2

No commit comments for this range

Something went wrong with that request. Please try again.