Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

We’re showing branches in this repository, but you can also compare across forks.

...
  • 5 commits
  • 19 files changed
  • 0 commit comments
  • 2 contributors
2  datas/cache/templates/index.html
View
@@ -0,0 +1,2 @@
+<h1>Forbidden</h1>
+<!-- No directory listing available -->
2  datas/config-sample.php
View
@@ -27,6 +27,8 @@
// ========================
$cfg['mainurl'] = 'http://localhost';
+$cfg['site_id'] = 'Some unique string specific to your site';
+$cfg['secret_key'] = 'Secret key used for authentication, make it unique and keep in secret!';
// ========================
// Default skin and default language
7 plugins/passrecover/passrecover.php
View
@@ -116,7 +116,12 @@ function sed_randompass()
$validationkey = md5(microtime());
$newpass = sed_randompass();
- $sql = sed_sql_query("UPDATE $db_users SET user_password='".md5($newpass)."', user_lostpass='$validationkey' WHERE user_id='$ruserid'");
+ $ruserpass = array();
+ $ruserpass['user_passsalt'] = sed_unique(16);
+ $ruserpass['user_passfunc'] = empty($cfg['hashfunc']) ? 'sha256' : $cfg['hashfunc'];
+ $ruserpass['user_password'] = sed_hash($newpass, $ruserpass['user_passsalt'], $ruserpass['user_passfunc']);
+ $ruserpass['user_lostpass'] = $validationkey;
+ sed_sql_update($db_users, "user_id=$ruserid", $ruserpass);
$rsubject = $cfg['maintitle']." - ".$L['plu_title'];
$rbody = $L['Hi']." ".$rusername.",\n\n".$L['plu_email2']."\n\n".$newpass. "\n\n".$L['aut_contactadmin'];
1  plugins/tags/lang/tags.en.lang.php
View
@@ -41,6 +41,7 @@
$L['cfg_order'] = array('Cloud output order &mdash; alphabetical, descending frequency or random');
$L['cfg_pages'] = array('Enable tags in pages');
$L['cfg_perpage'] = array('Tags displayed per page in standalone cloud, 0 is all at once');
+$L['cfg_sort'] = array('Default sorting column for tag search results');
$L['cfg_title'] = array('Capitalize first letters of keywords');
$L['cfg_translit'] = array('Transliterate tags in URLs');
1  plugins/tags/lang/tags.ru.lang.php
View
@@ -47,6 +47,7 @@
$L['cfg_order'] = array('Сортировка облака тегов','по алфавиту, по убыванию частотности, случайным образом');
$L['cfg_pages'] = array('Включить теги для страниц');
$L['cfg_perpage'] = array('Тегов на странице в облаке всех тегов, 0 - все теги сразу');
+$L['cfg_sort'] = array('Сортировка по умолчанию в результатах поиска по тегам');
$L['cfg_title'] = array('Первые буквы тегов прописными');
$L['cfg_translit'] = array('Транслитерировать теги в URL-адресах');
4 plugins/tags/tags.php
View
@@ -39,6 +39,10 @@
// Sorting order
$o = sed_import('order', 'P', 'ALP');
+if (empty($o))
+{
+ $o = mb_strtolower($cfg['plugin']['tags']['sort']);
+}
$tag_order = '';
$tag_orders = array('Title', 'Date', 'Category');
foreach ($tag_orders as $order)
7 plugins/tags/tags.setup.php
View
@@ -4,10 +4,10 @@
Code=tags
Name=Tags
Description=Basic Tags implementation
-Version=0.0.6
-Date=2009-jun-28
+Version=0.6.24
+Date=2012-07-30
Author=Trustmaster
-Copyright=All rights reserved (c) 2008-2009, Vladimir Sibirov.
+Copyright=All rights reserved (c) 2008-2012, Vladimir Sibirov.
Notes=BSD License.
SQL=
Auth_guests=R
@@ -29,6 +29,7 @@
more=10:radio::1:Show 'All tags' link in tag clouds
perpage=11:string::0:Tags displayed per page in standalone cloud, 0 is all at once
index=12:select:pages,forums,all:pages:Index page tag cloud area
+sort=31:select:ID,Title,Date,Category:ID:Default sorting column for tag search results
[END_SED_EXTPLUGIN_CONFIG]
==================== */
6 sql/cotonti-install.sql
View
@@ -320,6 +320,7 @@ INSERT INTO `sed_config` (`config_owner`, `config_cat`, `config_order`, `config_
('core', 'main', '20', 'shieldzhammer', 2, '25', '', ''),
('core', 'main', '30', 'jquery', 3, '1', '', ''),
('core', 'main', '31', 'turnajax', 3, '1', '1', ''),
+('core', 'main', '42', 'hashfunc', 1, 'sha256', '',''),
('core', 'parser', '10', 'parser_custom', 3, '0', '', ''),
('core', 'parser', '10', 'parser_cache', 3, '1', '', ''),
('core', 'parser', '10', 'parser_disable', 3, '0', '', ''),
@@ -493,6 +494,7 @@ INSERT INTO `sed_config` (`config_owner`, `config_cat`, `config_order`, `config_
('plug', 'tags', '9', 'lim_index', 1, '0', '', ' Limit of tags in a cloud displayed on index, 0 is unlimited'),
('plug', 'tags', '10', 'more', 3, '1', '', 'Show All Tags link in tag clouds'),
('plug', 'tags', '12', 'index', 2, 'pages', 'pages,forums,all', 'Index page tag cloud area'),
+('plug', 'tags', '31', 'sort', 2, 'ID', 'ID,Title,Date,Category', 'Default sorting column for tag search results'),
('core', 'comments', '03', 'expand_comments', 3, '1', '', ''),
('core', 'ratings', '02', 'ratings_allowchange', 3, '0', '', ''),
('core', 'comments', '04', 'maxcommentsperpage', 2, '15', '', ''),
@@ -977,7 +979,9 @@ CREATE TABLE `sed_users` (
`user_id` int(11) unsigned NOT NULL auto_increment,
`user_banexpire` int(11) default '0',
`user_name` varchar(100) collate utf8_unicode_ci NOT NULL,
- `user_password` varchar(32) collate utf8_unicode_ci NOT NULL default '',
+ `user_password` varchar(224) collate utf8_unicode_ci NOT NULL default '',
+ `user_passfunc` VARCHAR(32) NOT NULL default 'sha256',
+ `user_passsalt` VARCHAR(16) NOT NULL default '',
`user_maingrp` int(11) NOT NULL default '4',
`user_country` char(2) collate utf8_unicode_ci NOT NULL default '',
`user_text` text collate utf8_unicode_ci NOT NULL,
9 sql/patch-0.6.23-0.6.24.sql
View
@@ -0,0 +1,9 @@
+ALTER TABLE `sed_users` MODIFY `user_password` varchar(224) collate utf8_unicode_ci NOT NULL default '';
+ALTER TABLE `sed_users` ADD `user_passfunc` VARCHAR(32) NOT NULL default 'sha256';
+ALTER TABLE `sed_users` ADD `user_passsalt` VARCHAR(16) NOT NULL default '';
+
+UPDATE `sed_users` SET `user_passfunc` = 'md5';
+
+INSERT INTO `sed_config` (`config_owner`, `config_cat`, `config_order`, `config_name`, `config_type`, `config_value`, `config_default`, `config_text`) VALUES
+('core', 'main', '42', 'hashfunc', 1, 'sha256', '',''),
+('plug', 'tags', '31', 'sort', 2, 'ID', 'ID,Title,Date,Category', 'Default sorting column for tag search results');
10 system/common.php
View
@@ -51,7 +51,7 @@ function sed_disable_mqgpc(&$value, $key)
}
// Mbstring options
-mb_internal_encoding($cfg['charset']);
+mb_internal_encoding('UTF-8');
/* ======== Extra settings (the other presets are in functions.php) ======== */
@@ -226,14 +226,14 @@ function sed_disable_mqgpc(&$value, $key)
{
$u = empty($_SESSION[$site_id]) ? explode(':', base64_decode($_COOKIE[$site_id])) : explode(':', base64_decode($_SESSION[$site_id]));
$u_id = (int) sed_import($u[0], 'D', 'INT');
- $u_sid = sed_sql_prep($u[1]);
+ $u_sid = $u[1];
if ($u_id > 0)
{
- $sql = sed_sql_query("SELECT * FROM $db_users WHERE user_id = $u_id AND user_sid = '$u_sid'");
-
+ $sql = sed_sql_query("SELECT * FROM $db_users WHERE user_id = $u_id");
if ($row = sed_sql_fetcharray($sql))
{
- if ($row['user_maingrp'] > 3
+ if ($u_sid == hash_hmac('sha1', $row['user_sid'], $cfg['secret_key'])
+ && $row['user_maingrp'] > 3
&& ($cfg['ipcheck'] == FALSE || $row['user_lastip'] == $usr['ip'])
&& $row['user_sidtime'] + $cfg['cookielifetime'] > $sys['now_offset'])
{
2  system/core/admin/admin.hits.inc.php
View
@@ -37,7 +37,7 @@
if($f == 'year' || $f == 'month')
{
$adminpath[] = array(sed_url('admin', 'm=hits&f='.$f.'&v='.$v), "(".$v.")");
- $sql = sed_sql_query("SELECT * FROM $db_stats WHERE stat_name LIKE '$v%' ORDER BY stat_name DESC");
+ $sql = sed_sql_query("SELECT * FROM $db_stats WHERE stat_name LIKE '".sed_sql_prep($v)."%' ORDER BY stat_name DESC");
while($row = sed_sql_fetcharray($sql))
{
14 system/core/users/users.auth.inc.php
View
@@ -34,7 +34,7 @@
/* ===== */
$rusername = sed_import('rusername','P','TXT', 100, TRUE);
- $rpassword = sed_import('rpassword','P','PSW', 16, TRUE);
+ $rpassword = sed_import('rpassword','P','TXT', 16, TRUE);
$rcookiettl = sed_import('rcookiettl', 'P', 'INT');
$rremember = sed_import('rremember', 'P', 'BOL');
if(empty($rremember) && $rcookiettl > 0 || $cfg['forcerememberme'])
@@ -46,6 +46,15 @@
$login_param = preg_match('#^[\w\p{L}][\.\w\p{L}\-]*@[\w\p{L}\.\-]+\.[\w\p{L}]+$#u', $rusername) ?
'user_email' : 'user_name';
+ // Load salt and algo from db
+ $sql = sed_sql_query("SELECT user_passsalt, user_passfunc FROM $db_users WHERE $login_param='".sed_sql_prep($rusername)."'");
+ if (sed_sql_numrows($sql) == 1)
+ {
+ $hash_params = sed_sql_fetchassoc($sql);
+ $rmdpass = sed_hash($rpassword, $hash_params['user_passsalt'], $hash_params['user_passfunc']);
+ unset($hash_params);
+ }
+
/**
* Sets user selection criteria for authentication. Override this string in your plugin
* hooking into users.auth.check.query to provide other authentication methods.
@@ -108,6 +117,9 @@
sed_sql_query("UPDATE $db_users SET user_lastip='{$usr['ip']}', user_lastlog = {$sys['now_offset']}, user_logcount = user_logcount + 1, user_token = '$token' $update_sid WHERE user_id={$row['user_id']}");
+ // Hash the sid once more so it can't be faked even if you know user_sid
+ $sid = hash_hmac('sha1', $sid, $cfg['secret_key']);
+
$u = base64_encode($ruserid.':'.$sid);
if($rremember)
19 system/core/users/users.edit.inc.php
View
@@ -110,7 +110,7 @@
$ruserextrafields[] = $import;
$urr['user_'.$row[ 'field_name']] = $import;
}
-
+
if ($ruserdelete)
{
if ($sys['user_istopadmin'] && !$sys['edited_istopadmin'])
@@ -138,7 +138,18 @@
if (empty($error_string))
{
- $ruserpassword = (mb_strlen($rusernewpass)>0) ? md5($rusernewpass) : $urr['user_password'];
+ if (mb_strlen($rusernewpass) > 0)
+ {
+ $ruser['user_passsalt'] = sed_unique(16);
+ $ruser['user_passfunc'] = empty($cfg['hashfunc']) ? 'sha256' : $cfg['hashfunc'];
+ $ruser['user_password'] = sed_hash($rusernewpass, $ruser['user_passsalt'], $ruser['user_passfunc']);
+ }
+ else
+ {
+ $ruser['user_password'] = $urr['user_password'];
+ $ruser['user_passsalt'] = $urr['user_passsalt'];
+ $ruser['user_passfunc'] = $urr['user_passfunc'];
+ }
if ($rusername=='')
{ $rusername = $urr['user_name']; }
@@ -192,7 +203,9 @@
$ssql = "UPDATE $db_users SET
user_banexpire='$rbanexpire',
user_name='".sed_sql_prep($rusername)."',
- user_password='".sed_sql_prep($ruserpassword)."',
+ user_password='".sed_sql_prep($ruser['user_password'])."',
+ user_passsalt='".sed_sql_prep($ruser['user_passsalt'])."',
+ user_passfunc='".sed_sql_prep($ruser['user_passfunc'])."',
user_country='".sed_sql_prep($rusercountry)."',
user_text='".sed_sql_prep($rusertext)."',
user_avatar='".sed_sql_prep($ruseravatar)."',
4 system/core/users/users.logout.inc.php
View
@@ -41,11 +41,11 @@
sed_sql_query("UPDATE $db_users SET user_lastvisit = {$sys['now_offset']} WHERE user_id = " . $usr['id']);
sed_sql_query("DELETE FROM $db_online WHERE online_ip='{$usr['ip']}'");
- $all = cot_import('all', 'G', 'BOL');
+ $all = sed_import('all', 'G', 'BOL');
if ($all)
{
// Log out on all devices
- $db->update($db_users, array('user_sid' => ''), "user_id = " . $usr['id']);
+ sed_sql_query("UPDATE $db_users SET user_sid = '' WHERE user_id = " . $usr['id']);
}
sed_uriredir_redirect(empty($redirect) ? sed_url('index') : base64_decode($redirect));
21 system/core/users/users.register.inc.php
View
@@ -112,7 +112,10 @@
else
{ $defgroup = ($cfg['regnoactivation']) ? 4 : 2; }
- $mdpass = md5($rpassword1);
+ $ruser['user_passsalt'] = sed_unique(16);
+ $ruser['user_passfunc'] = empty($cfg['hashfunc']) ? 'sha256' : $cfg['hashfunc'];
+ $ruser['user_password'] = sed_hash($rpassword1, $ruser['user_passsalt'], $ruser['user_passfunc']);
+
if ($rmonth=='x' || $rday=='x' || $ryear=='x' || empty($rmonth) || empty($rday) || empty($ryear))
{
$ruserbirthdate = '0000-00-00';
@@ -144,6 +147,8 @@
$ssql = "INSERT into $db_users
(user_name,
user_password,
+ user_passsalt,
+ user_passfunc,
user_maingrp,
user_country,
user_location,
@@ -169,7 +174,9 @@
user_lastip)
VALUES
('".sed_sql_prep($rusername)."',
- '$mdpass',
+ '".sed_sql_prep($ruser['user_password'])."',
+ '".sed_sql_prep($ruser['user_passsalt'])."',
+ '".sed_sql_prep($ruser['user_passfunc'])."',
".(int)$defgroup.",
'".sed_sql_prep($rcountry)."',
'".sed_sql_prep($rlocation)."',
@@ -250,7 +257,7 @@
if ($row = sed_sql_fetcharray($sql))
{
-
+
if ($row['user_maingrp'] == 2)
{
@@ -307,10 +314,10 @@
$timezonelist = array ('-12', '-11', '-10', '-09', '-08', '-07', '-06', '-05', '-04', '-03', '-03.5', '-02', '-01', '+00', '+01', '+02', '+03', '+03.5', '+04', '+04.5', '+05', '+05.5', '+06', '+07', '+08', '+09', '+09.5', '+10', '+11', '+12');
$form_timezone = "<select name=\"rtimezone\" size=\"1\">";
-foreach($timezonelist as $x)
-{
- $f = (float) $x;
- $selected = ($f==$rtimezone) ? "selected=\"selected\"" : '';
+foreach($timezonelist as $x)
+{
+ $f = (float) $x;
+ $selected = ($f==$rtimezone) ? "selected=\"selected\"" : '';
$form_timezone .= "<option value=\"$f\" $selected>GMT ".$x."</option>";
}
$form_timezone .= "</select> ".$usr['gmttime']." / ".date($cfg['dateformat'], $sys['now_offset'] + $usr['timezone']*3600)." ".$usr['timetext'];
1  system/functions.admin.php
View
@@ -261,6 +261,7 @@ function sed_loadconfigmap()
$result[] = array ('main', '29', 'redirbkonlogout', 3, '0', ''); // N-0.6.1
$result[] = array ('main', '30', 'jquery', 3, '1', '');
$result[] = array ('main', '31', 'turnajax', 3, '1', '');
+ $result[] = array ('main', '42', 'hashfunc', 1, 'sha256', '');
$result[] = array ('parser', '10', 'parser_cache', 3, '1', '');
$result[] = array ('parser', '10', 'parser_custom', 3, '0', '');
$result[] = array ('parser', '10', 'parser_disable', 3, '0', '');
90 system/functions.php
View
@@ -3,7 +3,7 @@
* Main function library.
*
* @package Cotonti
- * @version 0.6.23
+ * @version 0.6.24
* @author Neocrome, Cotonti Team
* @copyright Copyright (c) 2008-2011 Cotonti Team
* @license BSD License
@@ -37,8 +37,8 @@
//unset ($warnings, $moremetas, $morejavascript, $error_string, $sed_cat, $sed_smilies, $sed_acc, $sed_catacc, $sed_rights, $sed_config, $sql_config, $sed_usersonline, $sed_plugins, $sed_groups, $rsedition, $rseditiop, $rseditios, $tcount, $qcount)
$cfg['svnrevision'] = '$Rev$'; //DO NOT MODIFY this is set by SVN automatically
-$cfg['version'] = '0.6.23';
-$cfg['dbversion'] = '0.6.23';
+$cfg['version'] = '0.6.24';
+$cfg['dbversion'] = '0.6.24';
if($cfg['customfuncs'])
{
@@ -56,6 +56,11 @@
}
/**
+ * Registry for hash functions
+ */
+$sed_hash_funcs = array('md5', 'sha1', 'sha256');
+
+/**
* Strips everything but alphanumeric, hyphens and underscores
*
* @param string $text Input
@@ -1169,7 +1174,7 @@ function sed_build_extrafields($rowname, $tpl_tag, $extrafields, $data=array(),
isset($L[$rowname.'_'.$row['field_name'].'_title']) ? $t->assign($tpl_tag.'_'.strtoupper($row['field_name']).'_TITLE', $L[$rowname.'_'.$row['field_name'].'_title']) : $t->assign($tpl_tag.'_'.strtoupper($row['field_name']).'_TITLE', $row['field_description']);
$t1 = $tpl_tag.'_'.strtoupper($row['field_name']);
$t2 = $row['field_html'];
- switch($row['field_type'])
+ switch($row['field_type'])
{
case "input":
$t2 = str_replace('<input ','<input name="'.$importrowname.$row['field_name'].'" ', $t2);
@@ -1206,10 +1211,10 @@ function sed_build_extrafields($rowname, $tpl_tag, $extrafields, $data=array(),
{
$var_text = (!empty($L[$rowname.'_'.$row['field_name'].'_'.$var])) ? $L[$rowname.'_'.$row['field_name'].'_'.$var] : $var;
$sel = ($var == $data[$rowname.'_'.$row['field_name']]) ? ' checked="checked"' : '';
- $buttons .= str_replace('/>', 'value="'.$var.'"'.$sel.' />'.$var_text.'&nbsp;&nbsp;', $t2);
+ $buttons .= str_replace('/>', 'value="'.$var.'"'.$sel.' />'.$var_text.'&nbsp;&nbsp;', $t2);
}
$t2 = $buttons;
- break;
+ break;
}
$return_arr[$t1] = $t2;
}
@@ -2073,6 +2078,75 @@ function sed_check_xp()
}
/**
+ * Hashes a value with given salt and specified hash algo.
+ *
+ * @global array $sed_hash_func
+ * @param string $data Data to be hash-protected
+ * @param string $salt Hashing salt, usually a random value
+ * @param string $algo Hashing algo name, must be registered in $sed_hash_funcs
+ * @return string Hashed value
+ */
+function sed_hash($data, $salt = '', $algo = 'sha256')
+{
+ global $cfg, $sed_hash_funcs;
+ if (isset($cfg['hashsalt']) && !empty($cfg['hashsalt']))
+ {
+ // Extra salt for extremely secure sites
+ $salt .= $cfg['hashsalt'];
+ }
+ $func = (in_array($algo, $sed_hash_funcs) && function_exists('sed_hash_' . $algo)) ? 'sed_hash_' . $algo : 'sed_hash_sha256';
+ return $func($data, $salt);
+}
+
+/**
+ * Returns the list of available hash algos for use with configs.
+ *
+ * @global array $sed_hash_func
+ * @return array
+ */
+function sed_hash_funcs()
+{
+ global $sed_hash_funcs;
+ return $sed_hash_funcs;
+}
+
+/**
+ * Simple MD5 hash wrapper. Old passwords use this func.
+ *
+ * @param string $data Data to be hashed
+ * @param string $salt Hashing salt, usually a random value
+ * @return string MD5 hash of the data
+ */
+function sed_hash_md5($data, $salt)
+{
+ return md5($data . $salt);
+}
+
+/**
+ * SHA1 hash func for use with sed_hash().
+ *
+ * @param string $data Data to be hashed
+ * @param string $salt Hashing salt, usually a random value
+ * @return string SHA1 hash of the data
+ */
+function sed_hash_sha1($data, $salt)
+{
+ return hash('sha1', $data . $salt);
+}
+
+/**
+ * SHA256 hash func for use with sed_hash(). Default since Cotonti 0.9.11.
+ *
+ * @param string $data Data to be hashed
+ * @param string $salt Hashing salt, usually a random value
+ * @return string SHA256 hash of the data
+ */
+function sed_hash_sha256($data, $salt)
+{
+ return hash('sha256', $data . $salt);
+}
+
+/**
* Truncates a post and makes sure parsing is correct
*
* @param string $text Post text
@@ -4644,7 +4718,7 @@ function sed_load_urltrans()
* Splits a query string into keys and values array. In comparison with built-in
* parse_str() function, this doesn't apply addslashes and urldecode to parameters
* and does not support arrays and complex parameters.
- *
+ *
* @param string $str Query string
* @return array
*/
@@ -5127,7 +5201,7 @@ function sed_extrafield_update($sql_table, $oldname, $name, $type, $html, $varia
if ($description != $field['field_description'])
$extf['description'] = $description;
$step1 = sed_sql_update($db_extra_fields, "field_name = '$oldname' AND field_location='$sql_table'", $extf, 'field_') == 1;
-
+
if (!$alter) return $step1;
switch ($type)
1  system/lang/en/admin.lang.php
View
@@ -82,6 +82,7 @@
$L['cfg_devmode'] = array('Debugging mode', 'Don\'t let this enabled on live sites');
$L['cfg_disablehitstats'] = array('Disable hit statistics', 'Referers and hits per day');
$L['cfg_gzip'] = array('Gzip', 'Gzip compression of the HTML output');
+$L['cfg_hashfunc'] = array('Default hash function', 'Used to hash passwords');
$L['cfg_hostip'] = array('Server IP', 'The IP of the server, optional.');
$L['cfg_jquery'] = array('Enable jQuery', ''); // New in N-0.0.1
$L['cfg_maintenance'] = array('Maintenance mode', 'Let only authorized personel access to site'); // New in N-0.0.2
1  system/lang/ru/admin.lang.php
View
@@ -82,6 +82,7 @@
$L['cfg_devmode'] = array('Режим отладки', 'Только для отладки под localhost');
$L['cfg_disablehitstats'] = array('Отключить статистику', 'Рефереры и хиты за день');
$L['cfg_gzip'] = array('Gzip', 'Gzip-сжатие для исходящего HTML-кода');
+$L['cfg_hashfunc'] = array('Функция хеширования по умолчанию', 'Используется для хеширования паролей');
$L['cfg_hostip'] = array('IP-адрес сервера', 'Необязательно');
$L['cfg_jquery'] = array('Включить jQuery', ' '); // New in N-0.0.1
$L['cfg_maintenance'] = array('Режим обслуживания', 'Доступа к сайту разрешен только администраторам'); // New in N-0.0.2

No commit comments for this range

Something went wrong with that request. Please try again.